# Access management for AWS resources
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. When a [principal](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#principal) makes a request in AWS, the AWS enforcement code checks whether the principal is authenticated (signed in) and authorized (has permissions). You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. Policies are JSON documents in AWS that, when attached to an identity or resource, define their permissions. For more information about policy types and uses, see [Policies and permissions in AWS Identity and Access Management](access_policies.md).
For details about the rest of the authentication and authorization process, see [How IAM works](intro-structure.md).
![\[AccessManagement_Diagram\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/access-diagram_800.png)
During authorization, the AWS enforcement code uses values from the [request context](intro-structure.md#intro-structure-request) to check for matching policies and determine whether to allow or deny the request.
AWS checks each policy that applies to the context of the request. If a single policy denies the request, AWS denies the entire request and stops evaluating policies. This is called an *explicit deny*. Because requests are *denied by default*, IAM authorizes your request only if every part of your request is allowed by the applicable policies. The [evaluation logic](reference_policies_evaluation-logic.md) for a request within a single account follows these rules:
+ By default, all requests are implicitly denied. (Alternatively, by default, the AWS account root user has full access.)
+ An explicit allow in an identity-based or resource-based policy overrides this default.
+ If a permissions boundary, AWS Organizations SCP, or session policy is present, it might override the allow with an implicit deny.
+ An explicit deny in any policy overrides any allows.
After your request has been authenticated and authorized, AWS approves the request. If you need to make a request in a different account, a policy in the other account must allow you to access the resource. In addition, the IAM entity that you use to make the request must have an identity-based policy that allows the request.
## Access management resources
For more information about permissions and about creating policies, see the following resources:
The following entries in the AWS Security Blog cover common ways to write policies for access to Amazon S3 buckets and objects.
+ [Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket](https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/)
+ [Writing IAM policies: Grant Access to User-Specific Folders in an Amazon S3 Bucket](https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/)
+ [IAM Policies and Bucket Policies and ACLs\$1 Oh My\$1 (Controlling Access to S3 Resources)](https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/)
+ [A Primer on RDS Resource-Level Permissions](https://aws.amazon.com/blogs/security/a-primer-on-rds-resource-level-permissions)
+ [Demystifying EC2 Resource-Level Permissions](https://aws.amazon.com/blogs/security/demystifying-ec2-resource-level-permissions/)
# Policies and permissions in AWS Identity and Access Management
Manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports seven types of policies: identity-based policies, resource-based policies, permissions boundaries, AWS Organizations service control policies (SCPs), AWS Organizations resource control policies (RCPs), access control lists (ACLs), and session policies.
IAM policies define permissions for an action regardless of the method that you use to perform the operation. For example, if a policy allows the [GetUser](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUser.html) action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API. When you create an IAM user, you can choose to allow console or programmatic access. If console access is allowed, the IAM user can sign in to the console using their sign-in credentials. If programmatic access is allowed, the user can use access keys to work with the CLI or API.
## Policy types
The following policy types, listed in order from most frequently used to less frequently used, are available for use in AWS. For more details, see the sections below for each policy type.
+ **[Identity-based policies](#policies_id-based)** – Attach [managed](#managedpolicy) and [inline](#inline) policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.
+ **[Resource-based policies](#policies_resource-based)** – Attach inline policies to resources. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies. Resource-based policies grant permissions to the principal that is specified in the policy. Principals can be in the same account as the resource or in other accounts.
+ **[Permissions boundaries](#policies_bound)** – Use a managed policy as the permissions boundary for an IAM entity (user or role). That policy defines the maximum permissions that the identity-based policies can grant to an entity, but does not grant permissions. Permissions boundaries do not define the maximum permissions that a resource-based policy can grant to an entity.
+ **[AWS Organizations SCPs](#policies_scp)** – Use an AWS Organizations service control policy (SCP) to define the maximum permissions for IAM users and IAM roles within accounts in your organization or organizational unit (OU). SCPs limit permissions that identity-based policies or resource-based policies grant to IAM users or IAM roles within the account. SCPs do not grant permissions.
+ **[AWS Organizations RCPs](#policies_rcp)** – Use an AWS Organizations resource control policy (RCP) to define the maximum permissions for resources within accounts in your organization or organizational unit (OU). RCPs limit permissions that identity-based and resource-based policies can grant to resources in accounts within your organization. RCPs do not grant permissions.
+ **[Access control lists (ACLs)](#policies_acl)** – Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. ACLs are cross-account permissions policies that grant permissions to the specified principal. ACLs cannot grant permissions to entities within the same account.
+ **[Session policies](#policies_session)** – Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user. Session policies limit the permissions that the role or user's identity-based policies grant to the session. Session policies limit permissions for a created session, but do not grant permissions. For more information, see [Session Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session).
### Identity-based policies
Identity-based policies are JSON permissions policy documents that control what actions an identity (users, groups of users, and roles) can perform, on which resources, and under what conditions. Identity-based policies can be further categorized:
+ **Managed policies** – Standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. There are two types of managed policies:
+ **AWS managed policies** – Managed policies that are created and managed by AWS.
+ **Customer managed policies** – Managed policies that you create and manage in your AWS account. Customer managed policies provide more precise control over your policies than AWS managed policies.
+ **Inline policies** – Policies that you add directly to a single user, group, or role. Inline policies maintain a strict one-to-one relationship between a policy and an identity. They are deleted when you delete the identity.
To learn how to choose between managed and inline policies, see [Choose between managed policies and inline policies](access_policies-choosing-managed-or-inline.md).
### Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource such as an Amazon S3 bucket. These policies grant the specified principal permission to perform specific actions on that resource and defines under what conditions this applies. Resource-based policies are inline policies. There are no managed resource-based policies.
To enable cross-account access, you can specify an entire account or IAM entities in another account as the principal in a resource-based policy. Adding a cross-account principal to a resource-based policy is only half of establishing the trust relationship. When the principal and the resource are in separate AWS accounts, you must also use an identity-based policy to grant the principal access to the resource. However, if a resource-based policy grants access to a principal in the same account, no additional identity-based policy is required. For step-by step instructions for granting cross-service access, see [IAM tutorial: Delegate access across AWS accounts using IAM roles](tutorial_cross-account-with-roles.md).
The IAM service supports only one type of resource-based policy called a role *trust policy*, which is attached to an IAM role. An IAM role is both an identity and a resource that supports resource-based policies. For that reason, you must attach both a trust policy and an identity-based policy to an IAM role. Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role. To learn how IAM roles are different from other resource-based policies, see [Cross account resource access in IAM](access_policies-cross-account-resource-access.md).
To see which other services support resource-based policies, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md). To learn more about resource-based policies, see [Identity-based policies and resource-based policies](access_policies_identity-vs-resource.md). To learn whether principals in accounts outside of your zone of trust (trusted organization or account) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html).
### IAM permissions boundaries
A permissions boundary is an advanced feature in which you set the maximum permissions that an identity-based policy can grant to an IAM entity. When you set a permissions boundary for an entity, the entity can perform only the actions that are allowed by both its identity-based policies and its permissions boundaries. If you specify a role session or user in the principal element of a resource-based policy, an explicit allow in the permission boundary is not required. However, if you specify a role ARN in the principal element of a resource-based policy, an explicit allow in the permission boundary is required. In both cases, an explicit deny in the permission boundary is effective. An explicit deny in any of these policies overrides the allow. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](access_policies_boundaries.md).
### AWS Organizations service control policies (SCPs)
If you enable all features in an organization, then you can apply service control policies (SCPs) to any or all of your accounts. SCPs are JSON policies that specify the maximum permissions for IAM users and IAM roles within accounts of an organization or organizational unit (OU). The SCP limits permissions for principals in member accounts, including each AWS account root user. An explicit deny in any of these policies overrides an allow in other policies.
For more information about AWS Organizations and SCPs, see [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *AWS Organizations User Guide*.
### AWS Organizations resource control policies (RCPs)
If you enable all features in an organization, then you can use resource control policies (RCPs) to centrally apply access controls on resources across multiple AWS accounts. RCPs are JSON policies that you can use to set the maximum available permissions for resources in your accounts without updating the IAM policies attached to each resource that you own. The RCP limits permissions for resources in member accounts and can impact the effective permissions for identities, including the AWS account root user, regardless of whether they belong to your organization. An explicit deny in any applicable RCP overrides an allow in other policies that might be attached to individual identities or resources.
For more information about AWS Organizations and RCPs including a list of AWS services that support RCPs, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) in the *AWS Organizations User Guide*.
### Access control lists (ACLs)
Access control lists (ACLs) are service policies that allow you to control which principals in another account can access a resource. ACLs cannot be used to control access for a principal within the same account. ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document format. Amazon S3, AWS WAF, and Amazon VPC are examples of services that support ACLs. To learn more about ACLs, see [Access Control List (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service Developer Guide*.
### Session policies
Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or an AWS STS federated user principal. The permissions for a session are the intersection of the identity-based policies for the IAM entity (user or role) used to create the session and the session policies. Permissions can also come from a resource-based policy. An explicit deny in any of these policies overrides the allow.
You can create role session and pass session policies programmatically using the `AssumeRole`, `AssumeRoleWithSAML`, or `AssumeRoleWithWebIdentity` API operations. You can pass a single JSON inline session policy document using the `Policy` parameter. You can use the `PolicyArns` parameter to specify up to 10 managed session policies. For more information about creating a role session, see [Permissions for temporary security credentials](id_credentials_temp_control-access.md).
When you create an AWS STS federated user principal session, you use the access keys of the IAM user to programmatically call the `GetFederationToken` API operation. You must also pass session policies. The resulting session's permissions are the intersection of the identity-based policy and the session policy. For more information about creating a federated user session, see [Requesting credentials through a custom identity broker](id_credentials_temp_request.md#api_getfederationtoken).
A resource-based policy can specify the ARN of the user or role as a principal. In that case, the permissions from the resource-based policy are added to the role or user's identity-based policy before the session is created. The session policy limits the total permissions granted by the resource-based policy and the identity-based policy. The resulting session's permissions are the intersection of the session policies and the resource-based policies plus the intersection of the session policies and identity-based policies.
![\[Evaluation of the session policy with a resource-based policy specifying the entity ARN\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/EffectivePermissions-session-rbp-id.png)
A resource-based policy can specify the ARN of the session as a principal. In that case, the permissions from the resource-based policy are added after the session is created. The resource-based policy permissions are not limited by the session policy. The resulting session has all the permissions of the resource-based policy *plus* the intersection of the identity-based policy and the session policy.
![\[Evaluation of the session policy with a resource-based policy specifying the session ARN\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/EffectivePermissions-session-rbpsession-id.png)
A permissions boundary can set the maximum permissions for a user or role that is used to create a session. In that case, the resulting session's permissions are the intersection of the session policy, the permissions boundary, and the identity-based policy. However, a permissions boundary does not limit permissions granted by a resource-based policy that specifies the ARN of the resulting session.
![\[Evaluation of the session policy with a permissions boundary\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/EffectivePermissions-session-boundary-id.png)
## Policies and the root user
The AWS account root user is affected by some policy types but not others. You cannot attach identity-based policies to the root user, and you cannot set the permissions boundary for the root user. However, you can specify the root user as the principal in a resource-based policy or an ACL. A root user is still the member of an account. If that account is a member of an organization in AWS Organizations, the root user is affected by SCPs and RCPs for the account.
## Overview of JSON policies
Most policies are stored in AWS as JSON documents. Identity-based policies and policies used to set permissions boundaries are JSON policy documents that you attach to a user or role. Resource-based policies are JSON policy documents that you attach to a resource. SCPs and RCPs are JSON policy documents with restricted syntax that you attach to the AWS Organizations' organization root, organizational unit (OU), or an account. ACLs are also attached to a resource, but you must use a different syntax. Session policies are JSON policies that you provide when you assume a role or federated user session.
It is not necessary for you to understand the JSON syntax. You can use the visual editor in the AWS Management Console to create and edit customer managed policies without ever using JSON. However, if you use inline policies for groups or complex policies, you must still create and edit those policies in the JSON editor using the console. For more information about using the visual editor, see [Define custom IAM permissions with customer managed policies](access_policies_create.md) and [Edit IAM policies](access_policies_manage-edit.md).
When you create or edit a JSON policy, IAM can perform policy validation to help you create an effective policy. IAM identifies JSON syntax errors, while IAM Access Analyzer provides additional policy checks with recommendations to help you further refine your policies. To learn more about policy validation, see [IAM policy validation](access_policies_policy-validator.md). To learn more about IAM Access Analyzer policy checks and actionable recommendations, see [ IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html).
### JSON policy document structure
As illustrated in the following figure, a JSON policy document includes these elements:
+ Optional policy-wide information at the top of the document
+ One or more individual statements**
Each statement includes information about a single permission. If a policy includes multiple statements, AWS applies a logical `OR` across the statements when evaluating them. If multiple policies apply to a request, AWS applies a logical `OR` across all of those policies when evaluating them.
![\[JSON policy document structure\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/AccessPolicyLanguage_General_Policy_Structure.diagram.png)
The information in a statement is contained within a series of elements.
+ **Version** – Specify the version of the policy language that you want to use. We recommend that you use the latest `2012-10-17 ` version. For more information, see [IAM JSON policy elements: Version](reference_policies_elements_version.md)
+ **Statement** – Use this main policy element as a container for the following elements. You can include more than one statement in a policy.
+ **Sid** (Optional) – Include an optional statement ID to differentiate between your statements.
+ **Effect** – Use `Allow` or `Deny` to indicate whether the policy allows or denies access.
+ **Principal** (Required in some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or AWS STS federated user principal to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
+ **Action** – Include a list of actions that the policy allows or denies.
+ **Resource** (Required in some circumstances) – If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, it depends on the resource you're using as to whether this element is required or not.
+ **Condition** (Optional) – Specify the circumstances under which the policy grants permission.
To learn about these and other more advanced policy elements, see [IAM JSON policy element reference](reference_policies_elements.md).
### Multiple statements and multiple policies
If you want to define more than one permission for an entity (user or role), you can use multiple statements in a single policy. You can also attach multiple policies. If you try to define multiple permissions in a single statement, your policy might not grant the access that you expect. We recommend that you break up policies by resource type.
Because of the [limited size of policies](reference_iam-quotas.md), it might be necessary to use multiple policies for more complex permissions. It's also a good idea to create functional groupings of permissions in a separate customer managed policy. For example, Create one policy for IAM user management, one for self-management, and another policy for S3 bucket management. Regardless of the combination of multiple statements and multiple policies, AWS [evaluates](reference_policies_evaluation-logic.md) your policies the same way.
For example, the following policy has three statements, each of which defines a separate set of permissions within a single account. The statements define the following:
+ The first statement, with an `Sid` (Statement ID) of `FirstStatement`, lets the user with the attached policy change their own password. The `Resource` element in this statement is "`*`" (which means "all resources"). But in practice, the `ChangePassword` API operation (or equivalent `change-password` CLI command) affects only the password for the user who makes the request.
+ The second statement lets the user list all the Amazon S3 buckets in their AWS account. The `Resource` element in this statement is `"*"` (which means "all resources"). But because policies don't grant access to resources in other accounts, the user can list only the buckets in their own AWS account.
+ The third statement lets the user list and retrieve any object that is in a bucket named `amzn-s3-demo-bucket-confidential-data`, but only when the user is authenticated with multi-factor authentication (MFA). The `Condition` element in the policy enforces the MFA authentication.
When a policy statement contains a `Condition` element, the statement is only in effect when the `Condition` element evaluates to true. In this case, the `Condition` evaluates to true when the user is MFA-authenticated. If the user is not MFA-authenticated, this `Condition` evaluates to false. In that case, the third statement in this policy does not apply and the user does not have access to the `amzn-s3-demo-bucket-confidential-data` bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "FirstStatement",
"Effect": "Allow",
"Action": ["iam:ChangePassword"],
"Resource": "*"
},
{
"Sid": "SecondStatement",
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Sid": "ThirdStatement",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket-confidential-data",
"arn:aws:s3:::amzn-s3-demo-bucket-confidential-data/*"
],
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
]
}
```
------
### Examples of JSON policy syntax
The following identity-based policy allows the implied principal to list a single Amazon S3 bucket named `amzn-s3-demo-bucket`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket"
}
}
```
------
The following resource-based policy can be attached to an Amazon S3 bucket. The policy allows members of a specific AWS account to perform any Amazon S3 actions in the bucket named `amzn-s3-demo-bucket`. It allows any action that can be performed on a bucket or the objects within it. (Because the policy grants trust only to the account, individual users in the account must still be granted permissions for the specified Amazon S3 actions.)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111122223333:root"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*"
]
}
]
}
```
------
To view example policies for common scenarios, see [Example IAM identity-based policies](access_policies_examples.md).
## Grant least privilege
When you create IAM policies, follow the standard security advice of granting *least privilege*, or granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform *only* those tasks.
Start with a minimum set of permissions and grant additional permissions as necessary. Doing so is more secure than starting with permissions that are too lenient and then trying to tighten them later.
As an alternative to least privilege, you can use [AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies) or policies with wildcard `*` permissions to get started with policies. Consider the security risk of granting your principals more permissions than they need to do their job. Monitor those principals to learn which permissions they are using. Then write least privilege policies.
IAM provides several options to help you refine the permissions that you grant.
+ **Understand access level groupings** – You can use access level groupings to understand the level of access that a policy grants. [Policy actions](reference_policies_elements_action.md) are classified as `List`, `Read`, `Write`, `Permissions management`, or `Tagging`. For example, you can choose actions from the `List` and `Read` access levels to grant read-only access to your users. To learn how to use policy summaries to understand access level permissions, see [Access levels in policy summaries](access_policies_understand-policy-summary-access-level-summaries.md).
+ **Validate your policies** – You can perform policy validation using IAM Access Analyzer when you create and edit JSON policies. We recommend that you review and validate all of your existing policies. IAM Access Analyzer provides over 100 policy checks to validate your policies. It generates security warnings when a statement in your policy allows access we consider overly permissive. You can use the actionable recommendations that are provided through the security warnings as you work toward granting least privilege. To learn more about policy checks provided by IAM Access Analyzer, see [IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html).
+ **Generate a policy based on access activity** – To help you refine the permissions that you grant, you can generate an IAM policy that is based on the access activity for an IAM entity (user or role). IAM Access Analyzer reviews your AWS CloudTrail logs and generates a policy template that contains the permissions that have been used by the entity in your specified time frame. You can use the template to create a managed policy with fine-grained permissions and then attach it to the IAM entity. That way, you grant only the permissions that the user or role needs to interact with AWS resources for your specific use case. To learn more, see [IAM Access Analyzer policy generation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html).
+ **Use last accessed information** – Another feature that can help with least privilege is *last accessed information*. View this information on the **Access Advisor** tab on the IAM console details page for an IAM user, group, role, or policy. Last accessed information also includes information about the actions that were last accessed for some services, such as Amazon EC2, IAM, Lambda, and Amazon S3. If you sign in using AWS Organizations management account credentials, you can view service last accessed information in the **AWS Organizations** section of the IAM console. You can also use the AWS CLI or AWS API to retrieve a report for last accessed information for entities or policies in IAM or AWS Organizations. You can use this information to identify unnecessary permissions so that you can refine your IAM or AWS Organizations policies to better adhere to the principle of least privilege. For more information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
+ **Review account events in AWS CloudTrail** – To further reduce permissions, you can view your account's events in AWS CloudTrail **Event history**. CloudTrail event logs include detailed event information that you can use to reduce the policy's permissions. The logs include only the actions and resources that your IAM entities need. For more information, see [Viewing CloudTrail Events in the CloudTrail Console](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html) in the *AWS CloudTrail User Guide*.
For more information, see the following policy topics for individual services, which provide examples of how to write policies for service-specific resources.
+ [Using resource-based policies for DynamoDB](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/access-control-resource-based.html) in the *Amazon DynamoDB Developer Guide*
+ [Bucket policies for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) in the *Amazon Simple Storage Service User Guide*
+ [Access Control List (ACL) overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service User Guide*
# Managed policies and inline policies
When you set the permissions for an identity in IAM, you must decide whether to use an AWS managed policy, a customer managed policy, or an inline policy. The following topics provide more information about each of the types of identity-based policies and when to use them.
The following table outlines these policies:
| Policy Type | Description | Who manages the policy? | Modify permissions? | Number of principals applied to policy? |
| --- | --- | --- | --- | --- |
| [AWS managed policies](#aws-managed-policies) | Standalone policy created and administered by AWS. | AWS | No | Many |
| [Customer managed policies](#customer-managed-policies) | Policy you create for specific use cases, and you can change or update them as often as you like. | You | Yes | Many |
| [Inline policies](#inline-policies) | Policy created for a single IAM identity (user, group, or role) that maintains a strict one-to-one relationship between a policy and an identity. | You | Yes | One |
**Topics**
+ [AWS managed policies](#aws-managed-policies)
+ [Customer managed policies](#customer-managed-policies)
+ [Inline policies](#inline-policies)
+ [Choose between managed policies and inline policies](access_policies-choosing-managed-or-inline.md)
+ [Convert an inline policy to a managed policy](access_policies-convert-inline-to-managed.md)
+ [Deprecated AWS managed policies](access_policies_managed-deprecated.md)
## AWS managed policies
An *AWS managed policy* is a standalone policy that is created and administered by AWS. A *standalone policy* means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, `arn:aws:iam::aws:policy/IAMReadOnlyAccess` is an AWS managed policy. For more information about ARNs, see [IAM ARNs](reference_identifiers.md#identifiers-arns). For a list of AWS managed policies for AWS services, see [AWS managed policies](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/policy-list.html).
AWS managed policies make it convenient for you to assign appropriate permissions to users, IAM groups, and roles. It is faster than writing the policies yourself, and includes permissions for many common use cases.
You cannot change the permissions defined in AWS managed policies. AWS occasionally updates the permissions defined in an AWS managed policy. When AWS does this, the update affects all principal entities (IAM users, IAM groups, and IAM roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API calls become available for existing services. For example, the AWS managed policy called **ReadOnlyAccess** provides read-only access to all AWS services and resources. When AWS launches a new service, AWS updates the **ReadOnlyAccess** policy to add read-only permissions for the new service. The updated permissions are applied to all principal entities that the policy is attached to.
*Full access AWS managed policies*: These define permissions for service administrators by granting full access to a service. Examples include:
+ [AmazonDynamoDBFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonDynamoDBFullAccess.html)
+ [IAMFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/IAMFullAccess.html)
*Power-user AWS managed policies*: These provide full access to AWS services and resources, but do not allow managing users and IAM groups. Examples include:
+ [AWSCodeCommitPowerUser](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSCodeCommitPowerUser.html)
+ [AWSKeyManagementServicePowerUser](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSKeyManagementServicePowerUser.html)
*Partial-access AWS managed policies*: These provide specific levels of access to AWS services without allowing [permissions management](access_policies_understand-policy-summary-access-level-summaries.md#access_policies_access-level) access level permissions. Examples include:
+ [AmazonMobileAnalyticsWriteOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonMobileAnalyticsWriteOnlyAccess.html)
+ [AmazonEC2ReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEC2ReadOnlyAccess.html)
*Job function AWS managed policies*: These policies align closely with commonly used job functions in the IT industry and facilitate granting permissions for these job functions. One key advantage of using job function policies is that they are maintained and updated by AWS as new services and API operations are introduced. For example, the [AdministratorAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AdministratorAccess.html) job function provides full access and permissions delegation to every service and resource in AWS. We recommend that you use this policy only for the account administrator. For power users that require full access to every service except limited access to IAM and AWS Organizations, use the [PowerUserAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/PowerUserAccess.html) job function. For a list and descriptions of the job function policies, see [AWS managed policies for job functions](access_policies_job-functions.md).
The following diagram illustrates AWS managed policies. The diagram shows three AWS managed policies: **AdministratorAccess**, **PowerUserAccess**, and **AWSCloudTrail\$1ReadOnlyAccess**. Notice that a single AWS managed policy can be attached to principal entities in different AWS accounts, and to different principal entities in a single AWS account.
![\[Diagram of AWS managed policies\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-aws-managed-policies.diagram.png)
## Customer managed policies
You can create standalone policies in your own AWS account that you can attach to principal entities (IAM users, IAM groups, and IAM roles). You create these *customer managed policies* for your specific use cases, and you can change and update them as often as you like. Like AWS managed policies, when you attach a policy to a principal entity, you give the entity the permissions that are defined in the policy. When you update permissions in the policy, the changes are applied to all principal entities that the policy is attached to.
A great way to create a customer managed policy is to start by copying an existing AWS managed policy. That way you know that the policy is correct at the beginning and all you need to do is customize it to your environment.
The following diagram illustrates customer managed policies. Each policy is an entity in IAM with its own [Amazon Resource Name (ARN)](reference_identifiers.md#identifiers-arns) that includes the policy name. Notice that the same policy can be attached to multiple principal entities—for example, the same **DynamoDB-books-app** policy is attached to two different IAM roles.
For more information, see [Define custom IAM permissions with customer managed policies](access_policies_create.md)
![\[Diagram of customer managed policies\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-customer-managed-policies.diagram.png)
## Inline policies
An inline policy is a policy created for a single IAM identity (a user, user group, or role). Inline policies maintain a strict one-to-one relationship between a policy and an identity. They are deleted when you delete the identity. You can create a policy and embed it in an identity, either when you create the identity or later. If a policy could apply to more than one entity, it’s better to use a managed policy.
The following diagram illustrates inline policies. Each policy is an inherent part of the user, group, or role. Notice that two roles include the same policy (the **DynamoDB-books-app** policy), but they are not sharing a single policy. Each role has its own copy of the policy.
![\[Diagram of inline policies\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-inline-policies.diagram.png)
# Choose between managed policies and inline policies
Consider your use cases when deciding between managed and inline policies. In most cases, we recommend that you use managed policies instead of inline policies.
**Note**
You can use both managed and inline policies together to define common and unique permissions for a principal entity.
Managed policies provide the following features:
**Reusability**
A single managed policy can be attached to multiple principal entities (users, groups, and roles). You can create a library of policies that define useful permissions for your AWS account, and then attach these policies to principal entities as needed.
**Central change management**
When you change a managed policy, the change is applied to all principal entities that the policy is attached to. For example, if you want to add permission for a new AWS API, you can update a customer managed policy or associate an AWS managed policy to add the permission. If you're using an AWS managed policy, AWS updates the policy. When a managed policy is updated, the changes are applied to all principal entities that the managed policy is attached to. In contrast, to change an inline policy, you must individually edit each identity that contains the inline policy. For example, if a group and a role both contain the same inline policy, you must individually edit both principal entities to change that policy.
**Versioning and rolling back**
When you change a customer managed policy, the changed policy doesn't overwrite the existing policy. Instead, IAM creates a new version of the managed policy. IAM stores up to five versions of your customer managed policies. You can use policy versions to revert a policy to an earlier version as needed.
A policy version is different from a `Version` policy element. The `Version` policy element is used within a policy and defines the version of the policy language. To learn more about policy versions, see [Versioning IAM policies](access_policies_managed-versioning.md). To learn more about the `Version` policy element see [IAM JSON policy elements: Version](reference_policies_elements_version.md).
**Delegating permissions management**
You can allow users in your AWS account to attach and detach policies while maintaining control over the permissions defined in those policies. To do this, designate some users as full administrators—that is, administrators that can create, update, and delete policies. You can then designate other users as limited administrators. Those limited administrators can attach policies to other principal entities, but only the policies that you have allowed them to attach.
For more information about delegating permissions management, see [Controlling access to policies](access_controlling.md#access_controlling-policies).
**Larger policy character limits**
The maximum character size limit for managed policies is greater than the character limit for group inline policies. If you reach the inline policy's character size limit, you can create more IAM groups and attach the managed policy to the group.
For more information on quotas and limits, see [IAM and AWS STS quotas](reference_iam-quotas.md).
**Automatic updates for AWS managed policies**
AWS maintains AWS managed policies and updates them when necessary, for example, to add permissions for new AWS services, without you having to make changes. The updates are automatically applied to the principal entities that you have attached the AWS managed policy to.
## Get started with managed policies
We recommend using policies that [grant least privilege](access_policies.md#grant-least-priv), or granting only the permissions required to perform a task. The most secure way to grant least privilege is to write a customer managed policy with only the permissions needed by your team. You must create a process to allow your team to request more permissions when necessary. It takes time and expertise to [create IAM customer managed policies](access_policies_create-console.md) that provide your team with only the permissions they need.
To get started adding permissions to your IAM identities (users, groups of users, and roles), you can use [AWS managed policies](access_policies_managed-vs-inline.md#aws-managed-policies). AWS managed policies don't grant least privilege permissions. You must consider the security risk of granting your principals more permissions than they need to do their job.
You can attach AWS managed policies, including job functions, to any IAM identity. For more information, see [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md).
To switch to least privilege permissions, you can run AWS Identity and Access Management and Access Analyzer to monitor the principals with AWS managed policies. After learning which permissions they are using, then you can write or generate a customer managed policy with only the required permissions for your team. This is less secure, but provides more flexibility as you learn how your team is using AWS. For more information, see [IAM Access Analyzer policy generation](access-analyzer-policy-generation.md).
AWS managed policies are designed to provide permissions for many common use cases. For more information about AWS managed policies that are designed for specific job functions, see [AWS managed policies for job functions](access_policies_job-functions.md).
For a list of AWS managed policies, see [AWS Managed Policy Reference Guide](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/about-managed-policy-reference.html).
## Using inline policies
Inline policies are useful if you want to maintain a strict one-to-one relationship between a policy and the identity to which it is applied. For example, if you want to be sure that the permissions in a policy are not inadvertently assigned to an identity other than the one they're intended for. When you use an inline policy, the permissions in the policy cannot be inadvertently attached to the wrong identity. In addition, when you use the AWS Management Console to delete that identity, the policies embedded in the identity are deleted as well because they are part of the principal entity.
# Convert an inline policy to a managed policy
If you have inline policies in your account, you can convert them to managed policies. To do this, copy the policy to a new managed policy. Next, attach the new policy to the identity that has the inline policy. Then delete the inline policy.
## Converting an inline policy to a managed policy
**To convert an inline policy to a managed policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **User groups**, **Users**, or **Roles**.
1. In the list, choose the name of the user group, user, or role that has the policy you want to remove.
1. Choose the **Permissions** tab.
1. For IAM groups, select the name of the inline policy that you want to remove. For users and roles, choose **Show *n* more**, if necessary, and then expand the inline policy that you want to remove.
1. Choose **Copy** to copy the JSON policy document for the policy.
1. In the navigation pane, choose **Policies**.
1. Choose **Create policy** and then choose the **JSON** option.
1. Replace the existing text with your JSON policy text, and then choose **Next**.
1. Enter a name and optional description for your policy and choose **Create policy**.
1. In the navigation pane, choose **User groups**, **Users**, or **Roles**, and again choose the name of the user group, user, or role that has the policy you want to remove.
1. Choose the **Permissions** tab and then choose **Add permissions**.
1. For IAM groups, select the checkbox next to the name of your new policy, choose **Add permissions**, and then choose **Attach policy**. For users or roles, choose **Add permissions**. On the next page, choose **Attach existing policies directly**, select the checkbox next to the name of your new policy, choose **Next**, and then choose **Add permissions**.
You are returned to the **Summary** page for your user group, user, or role.
1. Select the checkbox next to the inline policy that you want to remove and choose **Remove**.
# Deprecated AWS managed policies
To simplify the assignment of permissions, AWS provides [managed policies](access_policies_managed-vs-inline.md)—predefined policies that are ready to be attached to your IAM users, groups, and roles.
Sometimes AWS needs to add a new permission to an existing policy, such as when a new service is introduced. Adding a new permission to an existing policy does not disrupt or remove any feature or ability.
However, AWS might choose to create a *new* policy when the needed changes could impact customers if they were applied to an existing policy. For example, removing permissions from an existing policy could break the permissions of any IAM entity or application that depended upon it, potentially disrupting a critical operation.
Therefore, when such a change is required, AWS creates a completely new policy with the required changes and makes it available to customers. The old policy is then marked *deprecated*. For more information, see [Deprecated AWS managed policies](https://docs.aws.amazon.com//aws-managed-policy/latest/reference/about-managed-policy-reference.html#deprecated-managed-policies) in *AWS Managed Policy Reference Guide*.
# Establish permissions guardrails using data perimeters
Data perimeter guardrails are meant to serve as always-on boundaries to help protect your data across a broad set of AWS accounts and resources. Data perimeters follow IAM security best practices to [establish permissions guardrails across multiple accounts](best-practices.md#bp-permissions-guardrails). These organization-wide permissions guardrails do not replace your existing fine-grained access controls. Instead, they work as **coarse-grained access controls** that help improve your security strategy by ensuring users, roles, and resources adhere to a set of defined security standards.
A data perimeter is set of permission guardrails in your AWS environment which help ensure that only your trusted identities are accessing trusted resources from expected networks.
+ Trusted identities: Principals (IAM roles or users) in your AWS accounts and AWS services acting on your behalf.
+ Trusted resources: Resources owned by your AWS accounts or by AWS services acting on your behalf.
+ Expected networks: Your on-premises data centers and virtual private clouds (VPCs), or networks of AWS services acting on your behalf.
**Note**
In some cases, you may need to extend your data perimeter to also include access by your trusted business partners. You should consider all intended data access patterns when you create a definition of trusted identities, trusted resources, and expected networks specific to your company and your use of AWS services.
Data perimeter controls should be treated as any other security control within the information security and risk management program. This means that you should perform a threat analysis to identify potential risks within your cloud environment, and then, based on your own risk acceptance criteria, select and implement appropriate data perimeter controls. To better inform the iterative risk-based approach to data perimeter implementation, you need to understand what security risks and threat vectors are addressed by data perimeter controls as well as your security priorities.
## Data perimeter controls
Data perimeter coarse-grained controls help you achieve six distinct security objectives across three data perimeters through the implementation of different combinations of [Policy types](access_policies.md#access_policy-types) and [condition keys](reference_policies_condition-keys.md).
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_data-perimeters.html)
You can think of data perimeters as creating a firm boundary around your data to prevent unintended access patterns. Although data perimeters can prevent broad unintended access, you still need to make fine-grained access control decisions. Establishing a data perimeter does not diminish the need to continuously fine-tune permissions by using tools such as [IAM Access Analyzer](what-is-access-analyzer.md) as part of your journey to [least privilege](best-practices.md#grant-least-privilege).
To enforce data perimeter controls on resources that are currently not supported by RCPs, you can use resource-based policies that are attached to resources directly. For a list of services that support RCPs and resource-based policies, see [Resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) and [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md).
To enforce network perimeter controls, we recommend that you use `aws:VpceOrgID`, `aws:VpceOrgPaths`, and `aws:VpceAccount` only if all services you want to restrict access to are currently supported. Using these condition keys with unsupported services can lead to unintended authorization results. For a list of services that support the keys, see the [AWS global condition context keys](reference_policies_condition-keys.md). If you need to enforce the controls on a wider range of services, consider using `aws:SourceVpc` and `aws:SourceVpce` instead.
## Identity perimeter
An identity perimeter is a set of coarse-grained preventative access controls that help ensure only trusted identities can access your resources and only trusted identities are allowed from your network. Trusted identities usually include principals (roles or users) in your AWS accounts and AWS services acting on your behalf. All other identities are considered untrusted and are prevented by the identity perimeter unless an explicit exception is granted.
The following global condition keys help enforce identity perimeter controls based on your definition of trusted identities. Use these keys in resource control policies to restrict access to resources, or in [VPC endpoint policies](https://docs.aws.amazon.com//vpc/latest/privatelink/vpc-endpoints-access.html) to restrict access to your networks.
### Identities owned by you
You can use the following condition keys to define IAM principals that you create and manage in your AWS accounts.
+ [aws:PrincipalOrgID](reference_policies_condition-keys.md#condition-keys-principalorgid) – You can use this condition key to ensure that IAM principals making the request belong to the specified organization in AWS Organizations.
+ [aws:PrincipalOrgPaths](reference_policies_condition-keys.md#condition-keys-principalorgpaths) – You can use this condition key to ensure that the IAM user , IAM role, AWS STS federated user principal, SAML federated principal, OIDC federated principal, or AWS account root user making the request belong to the specified organizational unit (OU) in AWS Organizations.
+ [aws:PrincipalAccount](reference_policies_condition-keys.md#condition-keys-principalaccount) – You can use this condition key to ensure resources can only be accessed by the principal account that you specify in the policy.
### Identities of AWS services acting on your behalf
You can use the following condition keys to allow AWS services to use their own identities to access your resources when they act on your behalf.
+ [aws:PrincipalIsAWSService](reference_policies_condition-keys.md#condition-keys-principalisawsservice) and [aws:SourceOrgID](reference_policies_condition-keys.md#condition-keys-sourceorgid) (or [aws:SourceOrgPaths](reference_policies_condition-keys.md#condition-keys-sourceorgpaths) and [aws:SourceAccount](reference_policies_condition-keys.md#condition-keys-sourceaccount)) – You can use these condition keys to ensure that when [AWS service principals](reference_policies_elements_principal.md#principal-services) access your resources, they do it only on behalf of a resource in the specified organization, organizational unit, or an account in AWS Organizations.
For more information, see [ Establishing a data perimeter on AWS: Allow only trusted identities to access company data](https://aws.amazon.com/blogs/security/establishing-a-data-perimeter-on-aws-allow-only-trusted-identities-to-access-company-data/).
## Resource perimeter
A resource perimeter is a set of coarse-grained preventative access controls that help ensure your identities can access only trusted resources and only trusted resources can be accessed from your network. Trusted resources usually include resources owned by your AWS accounts or by AWS services acting on your behalf.
The following global condition keys help enforce resource perimeter controls based on your definition of trusted resources. Use these keys in [Service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to restrict which resources can be accessed by your identities, or in [ VPC endpoint policies](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html) to restrict which resources can be accessed from your networks.
### Resources owned by you
You can use the following condition keys to define AWS resources that you create and manage in your AWS accounts.
+ [aws:ResourceOrgID](reference_policies_condition-keys.md#condition-keys-resourceorgid) – You can use this condition key to ensure the resource that is being accessed belongs to the specified organization in AWS Organizations.
+ [aws:ResourceOrgPaths](reference_policies_condition-keys.md#condition-keys-resourceorgpaths) – You can use this condition key to ensure the resource that is being accessed belongs to the specified organizational unit(OU) in AWS Organizations.
+ [aws:ResourceAccount](reference_policies_condition-keys.md#condition-keys-resourceaccount) – You can use this condition key to ensure the resource that is being accessed belongs to the specified AWS account.
### Resources of AWS services acting on your behalf
In some cases, you may need to permit access to AWS owned resources, resources that do not belong to your organization and that are accessed by your principals or by AWS services acting on your behalf. For more information about these scenarios, see [ Establishing a data perimeter on AWS: Allow only trusted resources from my organization](https://aws.amazon.com/blogs/security/establishing-a-data-perimeter-on-aws-allow-only-trusted-resources-from-my-organization/).
## Network perimeter
A network perimeter is a set of coarse-grained preventative access controls that help ensure your identities can access resources only from expected networks and your resources can only be accessed from expected networks. Expected networks usually include your on-premises data centers and virtual private clouds (VPCs) and networks of AWS services acting on your behalf.
The following global condition keys help enforce network perimeter controls based on your definition of expected networks. Use these keys in [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) to restrict networks your identities can communicate from, or in [resource control policies (RCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_rcps.html) to constrain resource access to expected networks.
### Networks owned by you
You can use the following condition keys to define networks your employees and applications are expected to use to access your resources, such as your corporate IP CIDR range and your VPCs.
+ [aws:SourceIp](reference_policies_condition-keys.md#condition-keys-sourceip) – You can use this condition key to ensure the requester's IP address is within a specified IP range.
+ [aws:SourceVpc](reference_policies_condition-keys.md#condition-keys-sourcevpc) – You can use this condition key to ensure the VPC endpoint the request travels through belongs to the specified VPC.
+ [aws:SourceVpce](reference_policies_condition-keys.md#condition-keys-sourcevpce) – You can use this condition key to ensure the request travels through the specified VPC endpoint.
+ [aws:VpceAccount](reference_policies_condition-keys.md#condition-keys-vpceaccount) – You can use this condition key to ensure requests come through VPC endpoints owned by the specified AWS account.
+ [aws:VpceOrgPaths](reference_policies_condition-keys.md#condition-keys-vpceorgpaths) – You can use this condition key to ensure that requests come through VPC endpoints owned by accounts that belong to the specified organizational unit (OU) in AWS Organizations.
+ [aws:VpceOrgID](reference_policies_condition-keys.md#condition-keys-vpceorgid) – You can use this condition key to ensure requests come through VPC endpoints owned by accounts in the specified organization in AWS Organizations.
`aws:VpceAccount`, `aws:VpceOrgPaths`, and `aws:VpceOrgID` are particularly useful for implementing network perimeter controls that scale automatically with your VPC endpoint usage, without requiring updates to policies when you create new endpoints. See the [AWS global condition context keys](reference_policies_condition-keys.md) for the list of AWS services that support these keys.
### Networks of AWS services acting on your behalf
You can use the following condition keys to allow AWS services to access your resources from their networks when they act on your behalf.
+ [aws:ViaAWSService](reference_policies_condition-keys.md#condition-keys-viaawsservice) – You can use this condition key to ensure that AWS services can make requests on behalf of your principal using [Forward access sessions](access_forward_access_sessions.md) (FAS).
+ [aws:PrincipalIsAWSService](reference_policies_condition-keys.md#condition-keys-principalisawsservice) – You can use this condition key to ensure that AWS services can access your resources using [AWS service principals](reference_policies_elements_principal.md#principal-services).
There are additional scenarios where you need to permit access to AWS services that access your resources from outside your network. For more information, see [Establishing a data perimeter on AWS: Allow access to company data only from expected networks](https://aws.amazon.com/blogs/security/establishing-a-data-perimeter-on-aws-allow-access-to-company-data-only-from-expected-networks/).
## Resources to learn more about data perimeters
The following resources can help you learn more about data perimeters across AWS.
+ [Data perimeters on AWS](https://aws.amazon.com/identity/data-perimeters-on-aws/) – Learn about data perimeters and their benefits and use cases.
+ [Blog Post Series: Establishing a Data Perimeter on AWS](https://aws.amazon.com/identity/data-perimeters-blog-post-series/) – These blog posts cover prescriptive guidance about establishing your data perimeter at scale, including key security and implementation considerations.
+ [Data perimeter policy examples](https://github.com/aws-samples/data-perimeter-policy-examples/tree/ce06665ca8b2f07debee7bed5153c3be0f31c73c) – This GitHub repository contains example policies that cover some common patterns to help you implement a data perimeter on AWS.
+ [Data perimeter helper](https://github.com/aws-samples/data-perimeter-helper/tree/main?tab=readme-ov-file) – This tool helps you design and anticipate the impact of your data perimeter controls by analyzing access activity in your [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) logs.
# Permissions boundaries for IAM entities
AWS supports *permissions boundaries* for IAM entities (users or roles). A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
For more information about policy types, see [Policy types](access_policies.md#access_policy-types).
**Important**
Don't use resource-based policy statements that include a `NotPrincipal` policy element with a `Deny` effect for IAM users or roles that have a permissions boundary policy attached. The `NotPrincipal` element with a `Deny` effect will always deny any IAM principal that has a permissions boundary policy attached, regardless of the values specified in the `NotPrincipal` element. This causes some IAM users or roles that would otherwise have access to the resource to lose access. We recommend changing your resource-based policy statements to use the condition operator [`ArnNotEquals`](reference_policies_elements_condition_operators.md#Conditions_ARN) with the [`aws:PrincipalArn`](reference_policies_condition-keys.md#condition-keys-principalarn) context key to limit access instead of the `NotPrincipal` element. For information about the `NotPrincipal` element, see [AWS JSON policy elements: NotPrincipal](reference_policies_elements_notprincipal.md).
You can use an AWS managed policy or a customer managed policy to set the boundary for an IAM entity (user or role). That policy limits the maximum permissions for the user or role.
For example, assume that the IAM user named `Shirley` should be allowed to manage only Amazon S3, Amazon CloudWatch, and Amazon EC2. To enforce this rule, you can use the following policy to set the permissions boundary for the `Shirley` user:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"cloudwatch:*",
"ec2:*"
],
"Resource": "*"
}
]
}
```
------
When you use a policy to set the permissions boundary for a user, it limits the user's permissions but does not provide permissions on its own. In this example, the policy sets the maximum permissions of `Shirley` as all operations in Amazon S3, CloudWatch, and Amazon EC2. Shirley can never perform operations in any other service, including IAM, even if she has a permissions policy that allows it. For example, you can add the following policy to the `Shirley` user:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:CreateUser",
"Resource": "*"
}
}
```
------
This policy allows creating a user in IAM. If you attach this permissions policy to the `Shirley` user, and Shirley tries to create a user, the operation fails. It fails because the permissions boundary does not allow the `iam:CreateUser` operation. Given these two policies, Shirley does not have permission to perform any operations in AWS. You must add a different permissions policy to allow actions in other services, such as Amazon S3. Alternatively, you could update the permissions boundary to allow her to create a user in IAM.
## Evaluating effective permissions with boundaries
The permissions boundary for an IAM entity (user or role) sets the maximum permissions that the entity can have. This can change the effective permissions for that user or role. The effective permissions for an entity are the permissions that are granted by all the policies that affect the user or role. Within an account, the permissions for an entity can be affected by identity-based policies, resource-based policies, permissions boundaries, AWS Organizations SCPs, or session policies. For more information about the different types of policies, see [Policies and permissions in AWS Identity and Access Management](access_policies.md).
If any one of these policy types explicitly denies access for an operation, then the request is denied. The permissions granted to an entity by multiple permissions types are more complex. For more details about how AWS evaluates policies, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
**Identity-based policies with boundaries** – Identity-based policies are inline or managed policies that are attached to a user, group of users, or role. Identity-based policies grant permission to the entity, and permissions boundaries limit those permissions. The effective permissions are the intersection of both policy types. An explicit deny in either of these policies overrides the allow.
![\[Evaluation of identity-based policies and permissions boundaries\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/permissions_boundary.png)
**Resource-based policies** – Resource-based policies control how the specified principal can access the resource to which the policy is attached.
*Resource-based policies for IAM users*
Within the same account, resource-based policies that grant permissions to an IAM user ARN (that is not an AWS STS federated user principal session) are not limited by an implicit deny in an identity-based policy or permissions boundary.
![\[Evaluation of a resource-based policy, permissions boundary, and identity-based policy\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/EffectivePermissions-rbp-boundary-id.png)
*Resource-based policies for IAM roles *
**IAM role** – Resource-based policies that grant permissions to an IAM role ARN are limited by an implicit deny in a permissions boundary or session policy.
**IAM role session** – Within the same account, resource-based policies that grant permissions to an IAM role session ARN grant permissions directly to the assumed role session. Permissions granted directly to a session are not limited by an implicit deny in an identity-based policy, a permissions boundary, or session policy. When you assume a role and make a request, the principal making the request is the IAM role session ARN and not the ARN of the role itself.
*Resource-based policies for AWS STS federated user principal sessions*
**AWS STS federated user principal sessions** – An AWS STS federated user principal session is a session created by calling [`GetFederationToken`](id_credentials_temp_request.md#api_getfederationtoken). When a federated user makes a request, the principal making the request is the federated user ARN and not the ARN of the IAM user who federated. Within the same account, resource-based policies that grant permissions to a federated user ARN grant permissions directly to the session. Permissions granted directly to a session are not limited by an implicit deny in an identity-based policy, a permissions boundary, or session policy.
However, if a resource-based policy grants permission to the ARN of the IAM user who federated, then requests made by the AWS STS federated user principal during the session are limited by an implicit deny in a permission boundary or session policy.
**AWS Organizations SCPs** – SCPs are applied to an entire AWS account. They limit permissions for every request made by a principal within the account. An IAM entity (user or role) can make a request that is affected by an SCP, a permissions boundary, and an identity-based policy. In this case, the request is allowed only if all three policy types allow it. The effective permissions are the intersection of all three policy types. An explicit deny in any of these policies overrides the allow.
![\[Evaluation of an SCP, permissions boundary, and identity-based policy\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/EffectivePermissions-scp-boundary-id.png)
You can learn [whether your account is a member of an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_details.html#orgs_view_account) in AWS Organizations. Organization members might be affected by an SCP. To view this data using the AWS CLI command or AWS API operation, you must have permissions for the `organizations:DescribeOrganization` action for your AWS Organizations entity. You must have additional permissions to perform the operation in the AWS Organizations console. To learn whether an SCP is denying access to a specific request, or to change your effective permissions, contact your AWS Organizations administrator.
**Session policies** – Session policies are advanced policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. The permissions for a session come from the IAM entity (user or role) used to create the session and from the session policy. The entity's identity-based policy permissions are limited by the session policy and the permissions boundary. The effective permissions for this set of policy types are the intersection of all three policy types. An explicit deny in any of these policies overrides the allow. For more information about session policies, see [Session Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session).
![\[Evaluation of a session policy, permissions boundary, and identity-based policy\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/EffectivePermissions-session-boundary-id.png)
## Delegating responsibility to others using permissions boundaries
You can use permissions boundaries to delegate permissions management tasks, such as user creation, to IAM users in your account. This permits others to perform tasks on your behalf within a specific boundary of permissions.
For example, assume that María is the administrator of the X-Company AWS account. She wants to delegate user creation duties to Zhang. However, she must ensure that Zhang creates users that adhere to the following company rules:
+ Users cannot use IAM to create or manage users, groups, roles, or policies.
+ Users are denied access to the Amazon S3 `logs` bucket and cannot access the `i-1234567890abcdef0` Amazon EC2 instance.
+ Users cannot remove their own boundary policies.
To enforce these rules, María completes the following tasks, for which details are included below:
1. María creates the `XCompanyBoundaries` managed policy to use as a permissions boundary for all new users in the account.
1. María creates the `DelegatedUserBoundary` managed policy and assigns it as the permissions boundary for Zhang. Maria makes a note of her admin user's ARN and uses it in the policy to prevent Zhang from accessing it.
1. María creates the `DelegatedUserPermissions` managed policy and attaches it as a permissions policy for Zhang.
1. María tells Zhang about his new responsibilities and limitations.
**Task 1:** María must first create a managed policy to define the boundary for the new users. María will allow Zhang to give users the permissions policies they need, but she wants those users to be restricted. To do this, she creates the following customer managed policy with the name `XCompanyBoundaries`. This policy does the following:
+ Allows users full access to several services
+ Allows limited self-managing access in the IAM console. This means they can change their password after signing into the console. They can't set their initial password. To allow this, add the `"*LoginProfile"` action to the `AllowManageOwnPasswordAndAccessKeys` statement.
+ Denies users access to the Amazon S3 logs bucket or the `i-1234567890abcdef0` Amazon EC2 instance
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ServiceBoundaries",
"Effect": "Allow",
"Action": [
"s3:*",
"cloudwatch:*",
"ec2:*",
"dynamodb:*"
],
"Resource": "*"
},
{
"Sid": "AllowIAMConsoleForCredentials",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswordAndAccessKeys",
"Effect": "Allow",
"Action": [
"iam:*AccessKey*",
"iam:ChangePassword",
"iam:GetUser",
"iam:*ServiceSpecificCredential*",
"iam:*SigningCertificate*"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "DenyS3Logs",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::logs",
"arn:aws:s3:::logs/*"
]
},
{
"Sid": "DenyEC2Production",
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:*:*:instance/i-1234567890abcdef0"
}
]
}
```
------
Each statement serves a different purpose:
1. The `ServiceBoundaries` statement of this policy allows full access to the specified AWS services. This means that a new user's actions in these services are limited only by the permissions policies that are attached to the user.
1. The `AllowIAMConsoleForCredentials` statement allows access to list all IAM users. This access is necessary to navigate the **Users** page in the AWS Management Console. It also allows viewing the password requirements for the account, which is necessary when changing your own password.
1. The `AllowManageOwnPasswordAndAccessKeys` statement allows users to manage only their own console password and programmatic access keys. This is important if Zhang or another administrator assigns a new user a permissions policy with full IAM access. In that case, that user could then change their own or other users' permissions. This statement prevents that from happening.
1. The `DenyS3Logs` statement explicitly denies access to the `logs` bucket.
1. The `DenyEC2Production` statement explicitly denies access to the `i-1234567890abcdef0` instance.
**Task 2:** María wants to allow Zhang to create all X-Company users, but only with the `XCompanyBoundaries` permissions boundary. She creates the following customer managed policy named `DelegatedUserBoundary`. This policy defines the maximum permissions that Zhang can have.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "CreateOrChangeOnlyWithBoundary",
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:CreateUser",
"iam:DeleteUserPolicy",
"iam:DetachUserPolicy",
"iam:PutUserPermissionsBoundary",
"iam:PutUserPolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::123456789012:policy/XCompanyBoundaries"
}
}
},
{
"Sid": "CloudWatchAndOtherIAMTasks",
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"iam:CreateAccessKey",
"iam:CreateGroup",
"iam:CreateLoginProfile",
"iam:CreatePolicy",
"iam:DeleteGroup",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:DeleteUser",
"iam:GetAccountPasswordPolicy",
"iam:GetGroup",
"iam:GetLoginProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListEntitiesForPolicy",
"iam:ListGroups",
"iam:ListGroupsForUser",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:SetDefaultPolicyVersion",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy",
"iam:UpdateGroup",
"iam:UpdateLoginProfile",
"iam:UpdateUser"
],
"NotResource": "arn:aws:iam::123456789012:user/Maria"
},
{
"Sid": "NoBoundaryPolicyEdit",
"Effect": "Deny",
"Action": [
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": [
"arn:aws:iam::123456789012:policy/XCompanyBoundaries",
"arn:aws:iam::123456789012:policy/DelegatedUserBoundary"
]
},
{
"Sid": "NoBoundaryUserDelete",
"Effect": "Deny",
"Action": "iam:DeleteUserPermissionsBoundary",
"Resource": "*"
}
]
}
```
------
Each statement serves a different purpose:
1. The `CreateOrChangeOnlyWithBoundary` statement allows Zhang to create IAM users but only if he uses the `XCompanyBoundaries` policy to set the permissions boundary. This statement also allows him to set the permissions boundary for existing users but only using that same policy. Finally, this statement allows Zhang to manage permissions policies for users with this permissions boundary set.
1. The `CloudWatchAndOtherIAMTasks` statement allows Zhang to complete other user, group, and policy management tasks. He has permissions to reset passwords and create access keys for any IAM user not listed in the `NotResource` policy element. This allows him to help users with sign-in issues.
1. The `NoBoundaryPolicyEdit` statement denies Zhang access to update the `XCompanyBoundaries` policy. He is not allowed to change any policy that is used to set the permissions boundary for himself or other users.
1. The `NoBoundaryUserDelete` statement denies Zhang access to delete the permissions boundary for himself or other users.
María then assigns the `DelegatedUserBoundary` policy [as the permissions boundary](id_users_change-permissions.md#users_change_permissions-set-boundary-console) for the `Zhang` user.
**Task 3:** Because the permissions boundary limits the maximum permissions, but does not grant access on its own, Maria must create a permissions policy for Zhang. She creates the following policy named `DelegatedUserPermissions`. This policy defines the operations that Zhang can perform, within the defined boundary.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "IAM",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
},
{
"Sid": "CloudWatchLimited",
"Effect": "Allow",
"Action": [
"cloudwatch:GetDashboard",
"cloudwatch:GetMetricData",
"cloudwatch:ListDashboards",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": "*"
},
{
"Sid": "S3BucketContents",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::ZhangBucket"
}
]
}
```
------
Each statement serves a different purpose:
1. The `IAM` statement of the policy allows Zhang full access to IAM. However, because his permissions boundary allows only some IAM operations, his effective IAM permissions are limited only by his permissions boundary.
1. The `CloudWatchLimited` statement allows Zhang to perform five actions in CloudWatch. His permissions boundary allows all actions in CloudWatch, so his effective CloudWatch permissions are limited only by his permissions policy.
1. The `S3BucketContents` statement allows Zhang to list the `ZhangBucket` Amazon S3 bucket. However, his permissions boundary does not allow any Amazon S3 action, so he cannot perform any S3 operations, regardless of his permissions policy.
**Note**
Zhang's policies allow him to create a user that can then access Amazon S3 resources that he can't access. By delegating these administrative actions, Maria effectively trusts Zhang with access to Amazon S3.
María then attaches the `DelegatedUserPermissions` policy as the permissions policy for the `Zhang` user.
**Task 4:** She gives Zhang instructions to create a new user. She tells him that he can create new users with any permissions that they need, but he must assign them the `XCompanyBoundaries` policy as a permissions boundary.
Zhang completes the following tasks:
1. Zhang creates a user with the AWS Management Console. He types the user name `Nikhil` and enables console access for the user. He clears the checkbox next to **Requires password reset**, because the policies above allow users to change their passwords only after they are signed in to the IAM console.
1. On the **Set permissions** page, Zhang chooses the **IAMFullAccess** and ** AmazonS3ReadOnlyAccess** permissions policies that allow Nikhil to do his work.
1. Zhang skips the **Set permissions boundary** section, forgetting María's instructions.
1. Zhang reviews the user details and chooses **Create user**.
The operation fails and access is denied. Zhang's `DelegatedUserBoundary` permissions boundary requires that any user he creates have the `XCompanyBoundaries` policy used as a permissions boundary.
1. Zhang returns to the previous page. In the **Set permissions boundary** section, he chooses the `XCompanyBoundaries` policy.
1. Zhang reviews the user details and chooses **Create user**.
The user is created.
When Nikhil signs in, he has access to IAM and Amazon S3, except those operations that are denied by the permissions boundary. For example, he can change his own password in IAM but can't create another user or edit his policies. Nikhil has read-only access to Amazon S3.
If someone adds a resource-based policy to the `logs` bucket that allows Nikhil to put an object in the bucket, he still cannot access the bucket. The reason is that any actions on the `logs` bucket are explicitly denied by his permissions boundary. An explicit deny in any policy type results in a request being denied. However, if a resource-based policy attached to a Secrets Manager secret allows Nikhil to perform the `secretsmanager:GetSecretValue` action, then Nikhil can retrieve and decrypt the secret. The reason is that Secrets Manager operations are not explicitly denied by his permissions boundary, and implicit denies in permissions boundaries do not limit resource-based policies.
# Identity-based policies and resource-based policies
A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. When you create a permissions policy to restrict access to a resource, you can choose an *identity-based policy* or a *resource-based policy*.
**Identity-based policies** are attached to an IAM user, group, or role. These policies let you specify what that identity can do (its permissions). For example, you can attach the policy to the IAM user named John, stating that he is allowed to perform the Amazon EC2 `RunInstances` action. The policy could further state that John is allowed to get items from an Amazon DynamoDB table named `MyCompany`. You can also allow John to manage his own IAM security credentials. Identity-based policies can be [managed or inline](access_policies_managed-vs-inline.md).
**Resource-based policies** are attached to a resource. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, VPC endpoints, AWS Key Management Service encryption keys, and Amazon DynamoDB tables and streams. For a list of services that support resource-based policies, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md).
With resource-based policies, you can specify who has access to the resource and what actions they can perform on it. To learn whether principals in accounts outside of your zone of trust (trusted organization or account) have access to assume your roles, see [What is IAM Access Analyzer?](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html). Resource-based policies are inline only, not managed.
**Note**
*Resource-based* policies differ from *resource-level* permissions. You can attach resource-based policies directly to a resource, as described in this topic. Resource-level permissions refer to the ability to use [ARNs](reference_identifiers.md#identifiers-arns) to specify individual resources in a policy. Resource-based policies are supported only by some AWS services. For a list of which services support resource-based policies and resource-level permissions, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md).
To learn how identity-based policies and resource-based policies interact within the same account, see [Policy evaluation for requests within a single account](reference_policies_evaluation-logic_policy-eval-basics.md).
To learn how the policies interact across accounts, see [Cross-account policy evaluation logic](reference_policies_evaluation-logic-cross-account.md).
To better understand these concepts, view the following figure. The administrator of the `123456789012` account attached *identity-based policies* to the `John`, `Carlos`, and `Mary` users. Some of the actions in these policies can be performed on specific resources. For example, the user `John` can perform some actions on `Resource X`. This is a *resource-level permission* in an identity-based policy. The administrator also added *resource-based policies* to `Resource X`, `Resource Y`, and `Resource Z`. Resource-based policies allow you to specify who can access that resource. For example, the resource-based policy on `Resource X` allows the `John` and `Mary` users list and read access to the resource.
![\[Identity-based vs resource-based policies\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/Types_of_Permissions.diagram.png)
The `123456789012` account example allows the following users to perform the listed actions:
+ **John** – John can perform list and read actions on `Resource X`. He is granted this permission by the identity-based policy on his user and the resource-based policy on `Resource X`.
+ **Carlos** – Carlos can perform list, read, and write actions on `Resource Y`, but is denied access to `Resource Z`. The identity-based policy on Carlos allows him to perform list and read actions on `Resource Y`. The `Resource Y` resource-based policy also allows him write permissions. However, although his identity-based policy allows him access to `Resource Z`, the `Resource Z` resource-based policy denies that access. An explicit `Deny` overrides an `Allow` and his access to `Resource Z` is denied. For more information, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
+ **Mary** – Mary can perform list, read, and write operations on `Resource X`, `Resource Y`, and `Resource Z`. Her identity-based policy allows her more actions on more resources than the resource-based policies, but none of them deny access.
+ **Zhang** – Zhang has full access to `Resource Z`. Zhang has no identity-based policies, but the `Resource Z` resource-based policy allows him full access to the resource. Zhang can also perform list and read actions on `Resource Y`.
Identity-based policies and resource-based policies are both permissions policies and are evaluated together. For a request to which only permissions policies apply, AWS first checks all policies for a `Deny`. If one exists, then the request is denied. Then AWS checks for each `Allow`. If at least one policy statement allows the action in the request, the request is allowed. It doesn't matter whether the `Allow` is in the identity-based policy or the resource-based policy.
**Important**
This logic applies only when the request is made within a single AWS account. For requests made from one account to another, the requester in `Account A` must have an identity-based policy that allows them to make a request to the resource in `Account B`. Also, the resource-based policy in `Account B` must allow the requester in `Account A` to access the resource. There must be policies in both accounts that allow the operation, otherwise the request fails. For more information about using resource-based policies for cross-account access, see [Cross account resource access in IAM](access_policies-cross-account-resource-access.md).
A user who has specific permissions might request a resource that also has a permissions policy attached to it. In that case, AWS evaluates both sets of permissions when determining whether to grant access to the resource. For information about how policies are evaluated, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
**Note**
Amazon S3 supports identity-based policies and resource-based policies (referred to as *bucket policies*). In addition, Amazon S3 supports a permission mechanism known as an *access control list (ACL)* that is independent of IAM policies and permissions. You can use IAM policies in combination with Amazon S3 ACLs. For more information, see [Access Control](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingAuthAccess.html) in the *Amazon Simple Storage Service User Guide*.
# Control access to AWS resources using policies
You can use a policy to control access to resources within IAM or all of AWS.
To use a [policy](access_policies.md) to control access in AWS, you must understand how AWS grants access. AWS is composed of collections of *resources*. An IAM user is a resource. An Amazon S3 bucket is a resource. When you use the AWS API, the AWS CLI, or the AWS Management Console to perform an operation (such as creating a user), you send a *request* for that operation. Your request specifies an action, a resource, a *principal entity* (user or role), a *principal account*, and any necessary request information. All of this information provides *context*.
AWS then checks that you (the principal) are authenticated (signed in) and authorized (have permission) to perform the specified action on the specified resource. During authorization, AWS checks all the policies that apply to the context of your request. Most policies are stored in AWS as [JSON documents](access_policies.md#access_policies-json) and specify the permissions for principal entities. For more information about policy types and uses, see [Policies and permissions in AWS Identity and Access Management](access_policies.md).
AWS authorizes the request only if each part of your request is allowed by the policies. To view a diagram of this process, see [How IAM works](intro-structure.md). For details about how AWS determines whether a request is allowed, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
When you create an IAM policy, you can control access to the following:
+ **[Principals](#access_controlling-principals)** – Control what the person making the request (the [principal](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html?icmpid=docs_homepage_addtlrcs#principal)) is allowed to do.
+ **[IAM Identities](#access_controlling-identities)** – Control which IAM identities (IAM groups, users, and roles) can be accessed and how.
+ **[IAM Policies](#access_controlling-policies)** – Control who can create, edit, and delete customer managed policies, and who can attach and detach all managed policies.
+ **[AWS Resources](#access_controlling-resources)** – Control who has access to resources using an identity-based policy or a resource-based policy.
+ **[AWS Accounts](#access_controlling-principal-accounts)** – Control whether a request is allowed only for members of a specific account.
Policies let you specify who has access to AWS resources, and what actions they can perform on those resources. Every IAM user starts with no permissions. In other words, by default, users can do nothing, not even view their own access keys. To give a user permission to do something, you can add the permission to the user (that is, attach a policy to the user). Or you can add the user to a user group that has the intended permission.
For example, you might grant a user permission to list his or her own access keys. You might also expand that permission and also let each user create, update, and delete their own keys.
When you give permissions to a user group, all users in that user group get those permissions. For example, you can give the Administrators user group permission to perform any of the IAM actions on any of the AWS account resources. Another example: You can give the Managers user group permission to describe the Amazon EC2 instances of the AWS account.
For information about how to delegate basic permissions to your users, IAM groups, and roles, see [Permissions required to access IAM resources](access_permissions-required.md). For additional examples of policies that illustrate basic permissions, see [Example policies for administering IAM resources](id_credentials_delegate-permissions_examples.md).
## Controlling access for principals
You can use policies to control what the person making the request (the principal) is allowed to do. To do this, you must attach an identity-based policy to that person's identity (user, user group, or role). You can also use a [permissions boundary](access_policies_boundaries.md) to set the maximum permissions that an entity (user or role) can have.
For example, assume that you want the user Zhang Wei to have full access to CloudWatch, Amazon DynamoDB, Amazon EC2, and Amazon S3. You can create two different policies so that you can later break them up if you need one set of permissions for a different user. Or you can put both the permissions together in a single policy, and then attach that policy to the IAM user that is named Zhang Wei. You could also attach a policy to a user group to which Zhang belongs, or a role that Zhang can assume. As a result, when Zhang views the contents of an S3 bucket, his requests are allowed. If he tries to create a new IAM user, his request is denied because he doesn't have permission.
You can use a permissions boundary on Zhang to make sure that he is never given access to the `amzn-s3-demo-bucket1` S3 bucket. To do this, determine the *maximum* permissions that you want Zhang to have. In this case, you control what he does using his permissions policies. Here, you only care that he doesn't access the confidential bucket. So you use the following policy to define Zhang's boundary to allow all AWS actions for Amazon S3 and a few other services but deny access to the `amzn-s3-demo-bucket1` S3 bucket. Because the permissions boundary does not allow any IAM actions, it prevents Zhang from deleting his (or anyone's) boundary.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PermissionsBoundarySomeServices",
"Effect": "Allow",
"Action": [
"cloudwatch:*",
"dynamodb:*",
"ec2:*",
"s3:*"
],
"Resource": "*"
},
{
"Sid": "PermissionsBoundaryNoConfidentialBucket",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket1",
"arn:aws:s3:::amzn-s3-demo-bucket1/*"
]
}
]
}
```
------
When you assign a policy like this as a permissions boundary for a user, remember that it does not grant any permissions. It sets the maximum permissions that an identity-based policy can grant to an IAM entity. For more information about permissions boundaries, see [Permissions boundaries for IAM entities](access_policies_boundaries.md).
For detailed information about the procedures mentioned previously, refer to these resources:
+ To learn more about creating an IAM policy that you can attach to a principal, see [Define custom IAM permissions with customer managed policies](access_policies_create.md).
+ To learn how to attach an IAM policy to a principal, see [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md).
+ To see an example policy for granting full access to EC2, see [Amazon EC2: Allows full EC2 access within a specific Region, programmatically and in the console](reference_policies_examples_ec2_region.md).
+ To allow read-only access to an S3 bucket, use the first two statements of the following example policy: [Amazon S3: Allows read and write access to objects in an S3 Bucket, programmatically and in the console](reference_policies_examples_s3_rw-bucket-console.md).
+ To see an example policy for allowing users to set their credentials, such as their console password, their programmatic access keys, and their MFA devices, see [AWS: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page](reference_policies_examples_aws_my-sec-creds-self-manage.md).
## Controlling access to identities
You can use IAM policies to control what your users can do to an identity by creating a policy that you attach to all users through a user group. To do this, create a policy that limits what can be done to an identity, or who can access it.
For example, you can create a user group named **AllUsers**, and then attach that user group to all users. When you create the user group, you might give all your users access to set their credentials as described in the previous section. You can then create a policy that denies access to change the user group unless the user name is included in the condition of the policy. But that part of the policy only denies access to anyone except those users listed. You also have to include permissions to allow all the user group management actions for everyone in the user group. Finally, you attach this policy to the user group so that it is applied to all users. As a result, when a user not specified in the policy tries to make changes to the user group, the request is denied.
**To create this policy with the visual editor**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**.
If this is your first time choosing **Policies**, the **Welcome to Managed Policies** page appears. Choose **Get Started**.
1. Choose **Create policy**.
1. On the **Policy editor** section, choose the **Visual** option.
1. In **Select a service** choose **IAM**.
1. In **Actions allowed**, type **group** in the search box. The visual editor shows all the IAM actions that contain the word `group`. Select all of the checkboxes.
1. Choose **Resources** to specify resources for your policy. Based on the actions you chose, you should see **group** and **user** resource types.
+ **group** – Choose **Add ARNs**. For **Resource in**, select the **Any account** option. Select the **Any group name with path** checkbox and then type the user group name **AllUsers**. Then choose **Add ARNs**.
+ **user** – Select the checkbox next to **Any in this account**.
One of the actions that you chose, `ListGroups`, does not support using specific resources. You do not have to choose **All resources** for that action. When you save your policy or view the policy in the **JSON** editor, you can see that IAM automatically creates a new permission block granting this action permission on all resources.
1. To add another permission block, choose **Add more permissions**.
1. Choose **Select a service** and then choose **IAM**.
1. Choose **Actions allowed** and then choose **Switch to deny permissions**. When you do that, the entire block is used to deny permissions.
1. Type **group** in the search box. The visual editor shows you all the IAM actions that contain the word `group`. Select the check boxes next to the following actions:
+ **CreateGroup**
+ **DeleteGroup**
+ **RemoveUserFromGroup**
+ **AttachGroupPolicy**
+ **DeleteGroupPolicy**
+ **DetachGroupPolicy**
+ **PutGroupPolicy**
+ **UpdateGroup**
1. Choose **Resources** to specify the resources for your policy. Based on the actions that you chose, you should see the **group** resource type. Choose **Add ARNs**. For **Resource in**, select the **Any account** option. For **Any group name with path**, type the user group name **AllUsers**. Then choose **Add ARNs**.
1. Choose **Request conditions - *optional*** and then choose **Add another condition**. Complete the form with the following values:
+ **Condition key** – Choose **aws:username**
+ **Qualifier** – Choose **Default**
+ **Operator** – Choose **StringNotEquals**
+ **Value** – Type **srodriguez** and then choose **Add** to add another value. Type **mjackson** and then choose **Add** to add another value. Type **adesai** and then choose **Add condition**.
This condition ensures that access will be denied to the specified user group management actions when the user making the call is not included in the list. Because this explicitly denies permission, it overrides the previous block that allowed those users to call the actions. Users on the list are not denied access, and they are granted permission in the first permission block, so they can fully manage the user group.
1. When you are finished, choose **Next**.
**Note**
You can switch between the **Visual** and **JSON** editor options any time. However, if you make changes or choose **Next** in the **Visual** editor option, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).
1. On the **Review and create** page, for the **Policy Name**, type **LimitAllUserGroupManagement**. For the **Description**, type **Allows all users read-only access to a specific user group, and allows only specific users access to make changes to the user group**. Review **Permissions defined in this policy** to make sure that you have granted the intended permissions. Then choose **Create policy** to save your new policy.
1. Attach the policy to your user group. For more information, see [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md).
Alternatively, you can create the same policy using this example JSON policy document. To view this JSON policy, see [IAM: Allows specific IAM users to manage a group programmatically and in the console](reference_policies_examples_iam_users-manage-group.md). For detailed instructions for creating a policy using a JSON document, see [Creating policies using the JSON editor](access_policies_create-console.md#access_policies_create-json-editor).
## Controlling access to policies
You can control how your users can apply AWS managed policies. To do this, attach this policy to all your users. Ideally, you can do this using a user group.
For example, you might create a policy that allows users to attach only the [IAMUserChangePassword](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/IAMUserChangePassword) and [PowerUserAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/job-function/PowerUserAccess) AWS managed policies to a new IAM user, user group, or role.
For customer managed policies, you can control who can create, update, and delete these policies. You can control who can attach and detach policies to and from principal entities (IAM groups, users, and roles). You can also control which policies a user can attach or detach, and to and from which entities.
For example, you can give permissions to an account administrator to create, update, and delete policies. Then you give permissions to a team leader or other limited administrator to attach and detach these policies to and from principal entities that the limited administrator manages.
For more information, refer to these resources:
+ To learn more about creating an IAM policy that you can attach to a principal, see [Define custom IAM permissions with customer managed policies](access_policies_create.md).
+ To learn how to attach an IAM policy to a principal, see [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md).
+ To see an example policy for limiting the use of managed policies, see [IAM: Limits managed policies that can be applied to an IAM user, group, or role](reference_policies_examples_iam_limit-managed.md).
### Controlling permissions for creating, updating, and deleting customer managed policies
You can use [IAM policies](access_policies.md) to control who is allowed to create, update, and delete customer managed policies in your AWS account. The following list contains API operations that pertain directly to creating, updating, and deleting policies or policy versions:
+ [CreatePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html)
+ [CreatePolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html)
+ [DeletePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html)
+ [DeletePolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html)
+ [SetDefaultPolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html)
The API operations in the preceding list correspond to actions that you can allow or deny—that is, permissions that you can grant—using an IAM policy.
Consider the following example policy. It allows a user to create, update (that is, create a new policy version), delete, and set a default version for all customer managed policies in the AWS account. The example policy also allows the user to list policies and get policies. To learn how to create a policy using this example JSON policy document, see [Creating policies using the JSON editor](access_policies_create-console.md#access_policies_create-json-editor).
**Example policy that allows creating, updating, deleting, listing, getting, and setting the default version for all policies**
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicy",
"iam:DeletePolicyVersion",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:SetDefaultPolicyVersion"
],
"Resource": "*"
}
}
```
You can create policies that limit the use of these API operations to affect only the managed policies that you specify. For example, you might want to allow a user to set the default version and delete policy versions, but only for specific customer managed policies. You do this by specifying the policy ARN in the `Resource` element of the policy that grants these permissions.
The following example shows a policy that allows a user to delete policy versions and set the default version. But these actions are only allowed for the customer managed policies that include the path /TEAM-A/. The customer managed policy ARN is specified in the `Resource` element of the policy. (In this example the ARN includes a path and a wildcard and thus matches all customer managed policies that include the path /TEAM-A/). To learn how to create a policy using this example JSON policy document, see [Creating policies using the JSON editor](access_policies_create-console.md#access_policies_create-json-editor).
For more information about using paths in the names of customer managed policies, see [Friendly names and paths](reference_identifiers.md#identifiers-friendly-names).
**Example policy that allows deleting policy versions and setting the default version for only specific policies**
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": "arn:aws:iam::111122223333:policy/TEAM-A/*"
}
}
```
### Controlling permissions for attaching and detaching managed policies
You can also use IAM policies to allow users to work with only specific managed policies. In effect, you can control which permissions a user is allowed to grant to other principal entities.
The following list shows API operations that pertain directly to attaching and detaching managed policies to and from principal entities:
+ [AttachGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html)
+ [AttachRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html)
+ [AttachUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html)
+ [DetachGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html)
+ [DetachRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html)
+ [DetachUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html)
You can create policies that limit the use of these API operations to affect only the specific managed policies and/or principal entities that you specify. For example, you might want to allow a user to attach managed policies, but only the managed policies that you specify. Or, you might want to allow a user to attach managed policies, but only to the principal entities that you specify.
The following example policy allows a user to attach managed policies to only the IAM groups and roles that include the path /TEAM-A/. The user group and role ARNs are specified in the `Resource` element of the policy. (In this example the ARNs include a path and a wildcard character and thus match all IAM groups and roles that include the path /TEAM-A/). To learn how to create a policy using this example JSON policy document, see [Creating policies using the JSON editor](access_policies_create-console.md#access_policies_create-json-editor).
**Example policy that allows attaching managed policies to only specific user groups or roles**
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::111122223333:group/TEAM-A/*",
"arn:aws:iam::111122223333:role/TEAM-A/*"
]
}
}
```
You can further limit the actions in the preceding example to affect only specific policies. That is, you can control which permissions a user is allowed to attach to other principal entities—by adding a condition to the policy.
In the following example, the condition ensures that the `AttachGroupPolicy` and `AttachRolePolicy` permissions are allowed only when the policy being attached matches one of the specified policies. The condition uses the `iam:PolicyARN` [condition key](reference_policies_elements_condition.md) to determine which policy or policies are allowed to be attached. The following example policy expands on the previous example. It allows a user to attach only the managed policies that include the path /TEAM-A/ to only the IAM groups and roles that include the path /TEAM-A/. To learn how to create a policy using this example JSON policy document, see [Creating policies using the JSON editor](access_policies_create-console.md#access_policies_create-json-editor).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:AttachGroupPolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::111122223333:group/TEAM-A/*",
"arn:aws:iam::111122223333:role/TEAM-A/*"
],
"Condition": {
"ArnLike": {
"iam:PolicyARN": "arn:aws:iam::111122223333:policy/TEAM-A/*"
}
}
}
}
```
------
This policy uses the `ArnLike` condition operator, but you can also use the `ArnEquals` condition operator because these two condition operators behave identically. For more information about `ArnLike` and `ArnEquals`, see [Amazon Resource Name (ARN) condition operators](reference_policies_elements_condition_operators.md#Conditions_ARN) in the *Condition Types* section of the *Policy Element Reference*.
For example, you can limit the use of actions to involve only the managed policies that you specify. You do this by specifying the policy ARN in the `Condition` element of the policy that grants these permissions. For example, to specify the ARN of a customer managed policy:
```
"Condition": {"ArnEquals":
{"iam:PolicyARN": "arn:aws:iam::123456789012:policy/POLICY-NAME"}
}
```
You can also specify the ARN of an AWS managed policy in a policy's `Condition` element. The ARN of an AWS managed policy uses the special alias `aws` in the policy ARN instead of an account ID, as in this example:
```
"Condition": {"ArnEquals":
{"iam:PolicyARN": "arn:aws:iam::aws:policy/AmazonEC2FullAccess"}
}
```
## Controlling access to resources
You can control access to resources using an identity-based policy or a resource-based policy. In an identity-based policy, you attach the policy to an identity and specify what resources that identity can access. In a resource-based policy, you attach a policy to the resource that you want to control. In the policy, you specify which principals can access that resource. For more information about both types of policies, see [Identity-based policies and resource-based policies](access_policies_identity-vs-resource.md).
For more information, refer to these resources:
+ To learn more about creating an IAM policy that you can attach to a principal, see [Define custom IAM permissions with customer managed policies](access_policies_create.md).
+ To learn how to attach an IAM policy to a principal, see [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md).
+ Amazon S3 supports using resource-based policies on their buckets. For more information, see [Bucket Policy Examples](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html).
**Resource Creators Do Not Automatically Have Permissions**
If you sign in using the AWS account root user credentials, you have permission to perform any action on resources that belong to the account. However, this isn't true for IAM users. An IAM user might be granted access to create a resource, but the user's permissions, even for that resource, are limited to what's been explicitly granted. This means that just because you create a resource, such as an IAM role, you do not automatically have permission to edit or delete that role. Additionally, your permission can be revoked at any time by the account owner or by another user who has been granted access to manage your permissions.
## Controlling access to principals in a specific account
You can directly grant IAM users in your own account access to your resources. If users from another account need access to your resources, you can create an IAM role. A role is an entity that includes permissions but isn't associated with a specific user. Users from other accounts can then assume the role and access resources according to the permissions you've assigned to the role. For more information, see [Access for an IAM user in another AWS account that you own](id_roles_common-scenarios_aws-accounts.md).
**Note**
Some services support resource-based policies as described in [Identity-based policies and resource-based policies](access_policies_identity-vs-resource.md) (such as Amazon S3, Amazon SNS, and Amazon SQS). For those services, an alternative to using roles is to attach a policy to the resource (bucket, topic, or queue) that you want to share. The resource-based policy can specify the AWS account that has permissions to access the resource.
# Controlling access to and for IAM users and roles using tags
Use the information in the following section to control who can access your IAM users and roles and what resources your users and roles can access. For more general information and examples of controlling access to other AWS resources, including other IAM resources, see [Tags for AWS Identity and Access Management resources](id_tags.md).
**Note**
For details about case sensitivity for tag keys and tag key values, see [Case sensitivity](id_tags.md#case-sensitivity).
Tags can be attached to the IAM *resource*, passed in the *request*, or attached to the *principal* that is making the request. An IAM user or role can be both a resource and principal. For example, you can write a policy that allows a user to list the groups for a user. This operation is allowed only if the user making the request (the principal) has the same `project=blue` tag as the user they're trying to view. In this example, the user can view the group membership for any user, including themselves, as long as they are working on the same project.
To control access based on tags, you provide tag information in the [condition element](reference_policies_elements_condition.md) of a policy. When you create an IAM policy, you can use IAM tags and the associated tag condition key to control access to any of the following:
+ **[Resource](access_tags.md#access_tags_control-resources)** – Control access to user or role resources based on their tags. To do this, use the **aws:ResourceTag/*key-name*** condition key to specify which tag key-value pair must be attached to the resource. For more information, see [Controlling access to AWS resources](access_tags.md#access_tags_control-resources).
+ **[Request](access_tags.md#access_tags_control-requests)** – Control what tags can be passed in an IAM request. To do this, use the **aws:RequestTag/*key-name*** condition key to specify what tags can be added, changed, or removed from an IAM user or role. This key is used the same way for IAM resources and other AWS resources. For more information, see [Controlling access during AWS requests](access_tags.md#access_tags_control-requests).
+ **[Principal](#access_iam-tags_control-principals)** – Control what the person making the request (the principal) is allowed to do based on the tags that are attached to that person's IAM user or role. To do this, use the **aws:PrincipalTag/*key-name*** condition key to specify what tags must be attached to the IAM user or role before the request is allowed.
+ **[Any part of the authorization process](#access_iam-tags_control-tag-keys)** – Use the **aws:TagKeys** condition key to control whether specific tag keys can be used in a request or by a principal. In this case, the key value does not matter. This key behaves similarly for IAM and other AWS services. However, when you tag a user in IAM, this also controls whether the principal can make the request to any service. For more information, see [Controlling access based on tag keys](access_tags.md#access_tags_control-tag-keys).
You can create an IAM policy using the visual editor, using JSON, or by importing an existing managed policy. For details, see [Define custom IAM permissions with customer managed policies](access_policies_create.md).
**Note**
You can also pass [session tags](id_session-tags.md) when you assume an IAM role or federate a user. These are valid only for the length of the session.
## Controlling access for IAM principals
You can control what the principal is allowed to do based on the tags attached to that person's identity.
This example shows how you might create an identity-based policy that allows any user in this account to view the group membership for any user, including themselves, as long as they are working on the same project. This operation is allowed only when the user's resource tag and the principal's tag have the same value for the tag key `project`. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:ListGroupsForUser",
"Resource": "arn:aws:iam::111222333444:user/*",
"Condition": {
"StringEquals": {"aws:ResourceTag/project": "${aws:PrincipalTag/project}"}
}
}]
}
```
------
## Controlling access based on tag keys
You can use tags in your IAM policies to control whether specific tag keys can be used in a request or by a principal.
This example shows how you might create an identity-based policy that allows removing only the tag with the `temporary` key from users. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "iam:UntagUser",
"Resource": "*",
"Condition": {"ForAllValues:StringEquals": {"aws:TagKeys": ["temporary"]}}
}]
}
```
------
# Controlling access to AWS resources using tags
You can use tags to control access to your AWS resources that support tagging, including IAM resources. You can tag IAM users and roles to control what they can access. To learn how to tag IAM users and roles, see [Tags for AWS Identity and Access Management resources](id_tags.md). Additionally, you can control access to the following IAM resources: customer managed policies, IAM identity providers, instance profiles, server certificates, and virtual MFA devices. To view a tutorial for creating and testing a policy that allows IAM roles with principal tags to access resources with matching tags, see [IAM tutorial: Define permissions to access AWS resources based on tags](tutorial_attribute-based-access-control.md). Use the information in the following section to control access to other AWS resources, including IAM resources, without tagging IAM users or roles.
Before you use tags to control access to your AWS resources, you must understand how AWS grants access. AWS is composed of collections of *resources*. An Amazon EC2 instance is a resource. An Amazon S3 bucket is a resource. You can use the AWS API, the AWS CLI, or the AWS Management Console to perform an operation, such as creating a bucket in Amazon S3. When you do, you send a *request* for that operation. Your request specifies an action, a resource, a *principal entity* (user or role), a *principal account*, and any necessary request information. All of this information provides *context*.
AWS then checks that you (the principal entity) are authenticated (signed in) and authorized (have permission) to perform the specified action on the specified resource. During authorization, AWS checks all the policies that apply to the context of your request. Most policies are stored in AWS as [JSON documents](access_policies.md#access_policies-json) and specify the permissions for principal entities. For more information about policy types and uses, see [Policies and permissions in AWS Identity and Access Management](access_policies.md).
AWS authorizes the request only if each part of your request is allowed by the policies. To view a diagram and learn more about the IAM infrastructure, see [How IAM works](intro-structure.md). For details about how IAM determines whether a request is allowed, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
Tags are another consideration in this process because tags can be attached to the *resource* or passed in the *request* to services that support tagging. To control access based on tags, you provide tag information in the [condition element](reference_policies_elements_condition.md) of a policy. To learn whether an AWS service supports controlling access using tags, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md) and look for the services that have **Yes **in the **ABAC** column. Choose the name of the service to view the authorization and access control documentation for that service.
You can then create an IAM policy that allows or denies access to a resource based on that resource's tag. In that policy, you can use tag condition keys to control access to any of the following:
+ **[Resource](#access_tags_control-resources)** – Control access to AWS service resources based on the tags on those resources. To do this, use the **aws:ResourceTag/*key-name*** condition key to determine whether to allow access to the resource based on the tags that are attached to the resource.
+ **[Request](#access_tags_control-requests)** – Control what tags can be passed in a request. To do this, use the **aws:RequestTag/*key-name*** condition key to specify what tag key-value pairs can be passed in a request to tag an AWS resource.
+ **[Any part of the authorization process](#access_tags_control-tag-keys)** – Use the **aws:TagKeys** condition key to control whether specific tag keys can be in a request.
You can create an IAM policy visually, using JSON, or by importing an existing managed policy. For details, see [Define custom IAM permissions with customer managed policies](access_policies_create.md).
**Note**
Some services allow users to specify tags when they create the resource if they have permissions to use the action that creates the resource.
## Controlling access to AWS resources
You can use conditions in your IAM policies to control access to AWS resources based on the tags on that resource. You can do this using the global `aws:ResourceTag/tag-key` condition key, or a service-specific key. Some services support only the service-specific version of this key and not the global version.
**Warning**
Do not try to control who can pass a role by tagging the role and then using the `ResourceTag` condition key in a policy with the `iam:PassRole` action. This approach does not have reliable results. For more information about permissions required to pass a role to a service, see [Grant a user permissions to pass a role to an AWS service](id_roles_use_passrole.md).
This example shows how you might create an identity-based policy that allows starting or stopping Amazon EC2 instances. These operations are allowed only if the instance tag `Owner` has the value of the user name. This policy defines permissions for programmatic and console access.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {"aws:ResourceTag/Owner": "${aws:username}"}
}
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}
```
------
You can attach this policy to the IAM users in your account. If a user named `richard` attempts to start an Amazon EC2 instance, the instance must be tagged `Owner=richard` or `owner=richard`. Otherwise he will be denied access. The tag key `Owner` matches both `Owner` and `owner` because condition key names are not case-sensitive. For more information, see [IAM JSON policy elements: Condition](reference_policies_elements_condition.md).
This example shows how you might create an identity-based policy that uses the `team` principal tag in the resource ARN. The policy grants permission to delete Amazon Simple Queue Service queues, but only if the queue name starts with the team name followed by `-queue`. For example, `qa-queue` if `qa` is the team name for the `team` principal tag.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid": "AllQueueActions",
"Effect": "Allow",
"Action": "sqs:DeleteQueue",
"Resource": "arn:aws:sqs:us-east-2:111122223333:${aws:PrincipalTag/team}-queue"
}
}
```
------
## Controlling access during AWS requests
You can use conditions in your IAM policies to control what tag key-value pairs can be passed in a request that applies tags to an AWS resource.
This example shows how you might create an identity-based policy that allows using the Amazon EC2 `CreateTags` action to attach tags to an instance. You can attach tags only if the tag contains the `environment` key and the `preprod` or `production` values. If you want, you can use the `ForAllValues` modifier with the `aws:TagKeys` condition key to indicate that only the key `environment` is allowed in the request. This stops users from including other keys, such as accidentally using `Environment` instead of `environment`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/environment": [
"preprod",
"production"
]
},
"ForAllValues:StringEquals": {"aws:TagKeys": "environment"}
}
}
}
```
------
## Controlling access based on tag keys
You can use a condition in your IAM policies to control whether specific tag keys can be used in a request.
We recommend that when you use policies to control access using tags, you use the [`aws:TagKeys` condition key](reference_policies_condition-keys.md#condition-keys-tagkeys). AWS services that support tags might allow you to create multiple tag key names that differ only by case, such as tagging an Amazon EC2 instance with `stack=production` and `Stack=test`. Key names are not case sensitive in policy conditions. This means that if you specify `"aws:ResourceTag/TagKey1": "Value1"` in the condition element of your policy, then the condition matches a resource tag key named either `TagKey1` or `tagkey1`, but not both. To prevent duplicate tags with a key that varies only by case, use the `aws:TagKeys` condition to define the tag keys that your users can apply, or use tag policies, available with AWS Organizations. For more information see [Tag Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html) in the *AWS Organizations User Guide*.
This example shows how you might create an identity-based policy that allows creating and tagging a Secrets Manager secret, but only with the tag keys `environment` or `cost-center`. The `Null` condition ensures that the condition evaluates to `false` if there are no tags in the request.
```
{
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:TagResource"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:TagKeys": "false"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"environment",
"cost-center"
]
}
}
}
```
# Cross account resource access in IAM
For some AWS services, you can grant cross-account access to your resources using IAM. To do this, you can attach a resource policy directly to the resource that you want to share, or use a role as a proxy.
To share the resource directly, the resource that you want to share must support [resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_access-management.html#intro-access-resource-based-policies). Unlike an identity-based policy for a role, a resource-based policy specifies who (which principal) can access that resource.
Use a role as a proxy when you want to access resources in another account that do not support resource-based policies.
For details about the differences between these policy types, see [Identity-based policies and resource-based policies](access_policies_identity-vs-resource.md).
**Note**
IAM roles and resource-based policies delegate access across accounts only within a single partition. For example, you have an account in US West (N. California) in the standard `aws` partition. You also have an account in China in the `aws-cn` partition. You can't use a resource-based policy in your account in China to allow access for users in your standard AWS account.
## Cross-account access using roles
Not all AWS services support resource-based policies. For these services, you can use cross-account IAM roles to centralize permission management when providing cross-account access to multiple services. A cross-account IAM role is an IAM role that includes a [trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#term_trust-policy) that allows IAM principals in another AWS account to assume the role. Put simply, you can create a role in one AWS account that delegates specific permissions to another AWS account.
For information about attaching a policy to an IAM identity, see [Manage IAM policies](access_policies_manage.md).
**Note**
When a principal switches to a role to temporarily use the permissions of the role, they give up their original permissions and take on the permissions assigned to the role they’ve assumed.
Let’s take a look at the overall process as it applies to APN Partner software that needs to access a customer account.
1. The customer creates an IAM role in their own account with a policy that allows access the Amazon S3 resources that the APN partner requires. In this example, the role name is `APNPartner`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name"
]
}
]
}
```
------
1. Then, the customer specifies that the role can be assumed by the partner’s AWS account by providing the APN Partner’s AWS account ID in the [trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) for the `APNPartner` role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/APN-user-name"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. The customer gives the Amazon Resource Name (ARN) of the role to the APN partner. The ARN is the fully qualified name of the role.
```
arn:aws:iam::Customer-Account-ID:role/APNPartner
```
**Note**
We recommend using an external ID in multi-tenant situations. For details, see [Access to AWS accounts owned by third parties](id_roles_common-scenarios_third-party.md).
1. When the APN Partner’s software needs to access the customer’s account, the software calls the [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API in the AWS Security Token Service with the ARN of the role in the customer’s account. STS returns a temporary AWS credential that allows the software to do its work.
For another example of granting cross-account access using roles, see [Access for an IAM user in another AWS account that you own](id_roles_common-scenarios_aws-accounts.md). You can also follow the [IAM tutorial: Delegate access across AWS accounts using IAM roles](tutorial_cross-account-with-roles.md).
## Cross-account access using resource-based policies
When an account accesses a resource through another account using a resource-based policy, the principal still works in the trusted account and does not have to give up their permissions to receive the role permissions. In other words, the principal continues to have access to resources in the trusted account while having access to the resource in the trusting account. This is useful for tasks such as copying information to or from the shared resource in the other account.
The principals that you can specify in a resource based policy include accounts, IAM users, AWS STS federated user principals, SAML federated principals, OIDC federated principals, IAM roles, assumed-role sessions, or AWS services. For more information, see [Specifying a principal](https://docs.aws.amazon.com//IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying).
To learn whether principals in accounts outside of your zone of trust (trusted organization or account) have access to assume your roles, see [Identifying resources shared with an external entity](https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html#what-is-access-analyzer-resource-identification).
The following list includes some of the AWS services that support resource-based policies. For a complete list of the growing number of AWS services that support attaching permission policies to resources instead of principals, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md) and look for the services that have **Yes** in the **Resource Based** column.
+ **Amazon S3 buckets** — The policy is attached to the bucket, but the policy controls access to both the bucket and the objects in it. For more information, see [Bucket policies for Amazon S3](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html) in the *Amazon Simple Storage Service User Guide*. In some cases, it may be best to use roles for cross-account access to Amazon S3. For more information, see the [example walkthroughs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access.html) in the *Amazon Simple Storage Service User Guide*.
+ **Amazon Simple Notification Service (Amazon SNS) topics** — For more information, go to [Example cases for Amazon SNS access control](https://docs.aws.amazon.com//sns/latest/dg/sns-access-policy-use-cases.html) in the *Amazon Simple Notification Service Developer Guide*.
+ **Amazon Simple Queue Service (Amazon SQS) queues** – For more information, go to [Appendix: The Access Policy Language](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-creating-custom-policies.html) in the *Amazon Simple Queue Service Developer Guide*.
## Resource-based policies to delegate AWS permissions
If a resource grants permissions to principals in your account, you can then delegate those permissions to specific IAM identities. Identities are users, groups of users, or roles in your account. You delegate permissions by attaching a policy to the identity. You can grant up to the maximum permissions that are allowed by the resource-owning account.
**Important**
In cross account access, a principal needs an `Allow` in the identity policy **and** the resource-based policy.
Assume that a resource-based policy allows all principals in your account full administrative access to a resource. Then you can delegate full access, read-only access, or any other partial access to principals in your AWS account. Alternatively, if the resource-based policy allows only list permissions, then you can delegate only list access. If you try to delegate more permissions than your account has, your principals will still have only list access.
For more information about how these decisions are made, see [Determining whether a request is allowed or denied within an account](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-denyallow.html).
**Note**
IAM roles and resource-based policies delegate access across accounts only within a single partition. For example, you can't add cross-account access between an account in the standard `aws` partition and an account in the `aws-cn` partition.
For example, assume that you manage `AccountA` and `AccountB`. In AccountA, you have an Amazon S3 bucket named `BucketA`.
![\[A resource-based policy created for Amazon S3 bucket provides AccountB permissions to AccountA.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/access_policies-cross-account.png)
1. You attach a resource-based policy to `BucketA` that allows all principals in AccountB full access to objects in your bucket. They can create, read, or delete any objects in that bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PrincipalAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::BucketA/*"
}
]
}
```
------
AccountA gives AccountB full access to BucketA by naming AccountB as a principal in the resource-based policy. As a result, AccountB is authorized to perform any action on BucketA, and the AccountB administrator can delegate access to its users in AccountB.
The AccountB root user has all of the permissions that are granted to the account. Therefore, the root user has full access to BucketA.
1. In AccountB, attach a policy to the IAM user named User2. That policy allows the user read-only access to the objects in BucketA. That means that User2 can view the objects, but not create, edit, or delete them.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect" : "Allow",
"Action" : [
"s3:Get*",
"s3:List*" ],
"Resource" : "arn:aws:s3:::BucketA/*"
}
]
}
```
------
The maximum level of access that AccountB can delegate is the access level that is granted to the account. In this case, the resource-based policy granted full access to AccountB, but User2 is granted only read-only access.
The AccountB administrator does not give access to User1. By default, users do not have any permissions except those that are explicitly granted, so User1 does not have access to BucketA.
IAM evaluates a principal's permissions at the time the principal makes a request. If you use wildcards (\$1) to give users full access to your resources, principals can access any resources that your AWS account has access to. This is true even for resources you add or gain access to after creating the user's policy.
In the preceding example, if AccountB had attached a policy to User2 that allowed full access to all resources in all accounts, User2 would automatically have access to any resources that AccountB has access to. This includes the BucketA access and access to any other resources granted by resource-based policies in AccountA.
For more information about complex uses of roles, such as granting access to applications and services, see [Common scenarios for IAM roles](id_roles_common-scenarios.md).
**Important**
Give access only to entities you trust, and give the minimum level of access necessary. Whenever the trusted entity is another AWS account, any IAM principal can be granted access to your resource. The trusted AWS account can delegate access only to the extent that it has been granted access; it cannot delegate more access than the account itself has been granted.
For information about permissions, policies, and the permission policy language that you use to write policies, see [Access management for AWS resources](access.md).
# Forward access sessions
Forward access sessions (FAS) is an IAM technology used by AWS services to pass your identity, permissions, and session attributes when an AWS service makes a request on your behalf. FAS uses the permissions of the identity calling an AWS service, combined with an AWS service’s identity to make requests to downstream services. FAS requests are only made to AWS services on behalf of an IAM principal after a service has received a request that requires interactions with other AWS services or resources to complete. When a FAS request is made:
+ The service that receives the initial request from an IAM principal checks the permissions of the IAM principal.
+ The service that receives a subsequent FAS request also checks the permissions of the same IAM principal.
For example, FAS is used by Amazon S3 to make calls to AWS Key Management Service to decrypt an object when [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingKMSEncryption.html) was used to encrypt it. When downloading an SSE-KMS encrypted object, a role named **data-reader** calls GetObject on the object against Amazon S3, and does not call AWS KMS directly. After receiving the GetObject request and authorizing data-reader, Amazon S3 then makes a FAS request to AWS KMS in order to decrypt the Amazon S3 object. When KMS receives the FAS request it checks the permissions of the role and only authorizes the decryption request if data-reader has the correct permissions on the KMS key. The requests to both Amazon S3 and AWS KMS are authorized using the role’s permissions and is only successful if data-reader has permissions to both the Amazon S3 object and the AWS KMS key.
![\[A flow diagram of an IAM role being passed as the principal to Amazon S3 and then to AWS KMS.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/access-fas-example.png)
**Note**
Additional FAS requests can be made by services who have received a FAS request. In such cases, the requesting principal must have permissions for all services called by FAS.
## FAS Requests and IAM policy conditions
When FAS requests are made, [aws:CalledVia](reference_policies_condition-keys.md#condition-keys-calledvia), [aws:CalledViaFirst](reference_policies_condition-keys.md#condition-keys-calledviafirst), and [aws:CalledViaLast](reference_policies_condition-keys.md#condition-keys-calledvialast) condition keys are populated with the service principal of the service that initiated the FAS call. The [aws:ViaAWSService](reference_policies_condition-keys.md#condition-keys-viaawsservice) condition key value is set to `true` whenever a FAS request is made. In the following diagram, the request to CloudFormation directly does not have any `aws:CalledVia` or `aws:ViaAWSService` condition keys set. When CloudFormation and DynamoDB make downstream FAS requests on the behalf of the role, the values for these condition keys are populated.
![\[A flow diagram of an IAM role being passed as the principal to CloudFormation and then passing the condition key values to DynamoDB and AWS KMS.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/access-fas-example2.png)
To allow a FAS request to be made when it would otherwise be denied by a Deny policy statement with a condition key testing Source IP addresses or Source VPCs, you must use condition keys to provide an exception for FAS requests in your Deny policy. This can be done for all FAS requests by using the `aws:ViaAWSService` condition key. To allow only specific AWS services to make FAS requests, use `aws:CalledVia`.
**Important**
When a FAS request is made after an initial request is made through a VPC endpoint, the condition key values for `aws:SourceVpce`, `aws:SourceVpc`, and `aws:VpcSourceIp` from the initial request are not used in FAS requests. When writing policies using `aws:VpcSourceIp` or `aws:SourceVpce` to conditionally grant access, you must also use `aws:ViaAWSService` or `aws:CalledVia` to allow FAS requests. When a FAS request is made after an initial request is received by a public AWS service endpoint, subsequent FAS requests will be made with the same `aws:SourceIP` condition key value.
## Example: Allow Amazon S3 access from a VPC or with FAS
In the following IAM policy example, Amazon S3 GetObject and Athena requests are only allowed if they originate from VPC endpoints attached to *example\$1vpc*, or if the request is a FAS request made by Athena.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "OnlyAllowMyIPs",
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:StopQueryExecution",
"athena:GetQueryExecution"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceVPC": [
"vpc-111bbb22"
]
}
}
},
{
"Sid": "OnlyAllowFAS",
"Effect": "Allow",
"Action": [
"s3:GetObject*"
],
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "athena.amazonaws.com"
}
}
}
]
}
```
------
For additional examples of using condition keys to allow FAS access, see the [ data perimeter example policy repo](https://github.com/aws-samples/data-perimeter-policy-examples).
# Example IAM identity-based policies
A [policy](access_policies.md) is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents that are attached to an IAM identity (user, group of users, or role). Identity-based policies include AWS managed policies, customer managed policies, and inline policies. To learn how to create an IAM policy using these example JSON policy documents, see [Creating policies using the JSON editor](access_policies_create-console.md#access_policies_create-json-editor).
By default all requests are denied, so you must provide access to the services, actions, and resources that you intend for the identity to access. If you also want to allow access to complete the specified actions in the IAM console, you need to provide additional permissions.
The following library of policies can help you define permissions for your IAM identities. After you find the policy that you need, choose **view this policy** to view the JSON for the policy. You can use the JSON policy document as a template for your own policies.
**Note**
If you would like to submit a policy to be included in this reference guide, use the **Feedback** button at the bottom of this page.
## Example policies: AWS
+ Allows access during a specific range of dates. ([View this policy](reference_policies_examples_aws-dates.md).)
+ Allows enabling and disabling AWS Regions. ([View this policy](reference_policies_examples_aws-enable-disable-regions.md).)
+ Allows MFA-authenticated users to manage their own credentials on the **Security credentials** page. ([View this policy](reference_policies_examples_aws_my-sec-creds-self-manage.md).)
+ Allows specific access when using MFA during a specific range of dates. ([View this policy](reference_policies_examples_aws_mfa-dates.md).)
+ Allows users to manage their own credentials on the **Security credentials** page. ([View this policy](reference_policies_examples_aws_my-sec-creds-self-manage-no-mfa.md).)
+ Allows users to manage their own MFA device on the **Security credentials** page. ([View this policy](reference_policies_examples_aws_my-sec-creds-self-manage-mfa-only.md).)
+ Allows users to manage their own password on the **Security credentials** page. ([View this policy](reference_policies_examples_aws_my-sec-creds-self-manage-password-only.md).)
+ Allows users to manage their own password, access keys, and SSH public keys on the **Security credentials** page. ([View this policy](reference_policies_examples_aws_my-sec-creds-self-manage-pass-accesskeys-ssh.md).)
+ Denies access to AWS based on the requested Region. ([View this policy](reference_policies_examples_aws_deny-requested-region.md).)
+ Denies access to AWS based on the source IP address. ([View this policy](reference_policies_examples_aws_deny-ip.md).)
## Example policy: AWS Data Exchange
+ Deny access to Amazon S3 resources outside of your account except AWS Data Exchange. ([View this policy](reference_policies_examples_resource_account_data_exch.md).)
## Example policies: AWS Data Pipeline
+ Denies access to pipelines that a user did not create ([View this policy](reference_policies_examples_datapipeline_not-owned.md).)
## Example policies: Amazon DynamoDB
+ Allows access to a specific Amazon DynamoDB table ([View this policy](reference_policies_examples_dynamodb_specific-table.md).)
+ Allows access to specific Amazon DynamoDB attributes ([View this policy](reference_policies_examples_dynamodb_attributes.md).)
+ Allows item-level access to Amazon DynamoDB based on an Amazon Cognito ID ([View this policy](reference_policies_examples_dynamodb_items.md).)
## Example policies: Amazon EC2
+ Allows attaching or detaching Amazon EBS volumes to Amazon EC2 instances based on tags ([View this policy](reference_policies_examples_ec2_ebs-owner.md).)
+ Allows launching Amazon EC2 instances in a specific subnet, programmatically and in the console ([View this policy](reference_policies_examples_ec2_instances-subnet.md).)
+ Allows managing Amazon EC2 security groups associated with a specific VPC, programmatically and in the console ([View this policy](reference_policies_examples_ec2_securitygroups-vpc.md).)
+ Allows starting or stopping Amazon EC2 instances a user has tagged, programmatically and in the console ([View this policy](reference_policies_examples_ec2_tag-owner.md).)
+ Allows starting or stopping Amazon EC2 instances based on resource and principal tags, programmatically and in the console ([View this policy](reference_policies_examples_ec2-start-stop-tags.md).)
+ Allows starting or stopping Amazon EC2 instances when the resource and principal tags match ([View this policy](reference_policies_examples_ec2-start-stop-match-tags.md).)
+ Allows full Amazon EC2 access within a specific Region, programmatically and in the console. ([View this policy](reference_policies_examples_ec2_region.md).)
+ Allows starting or stopping a specific Amazon EC2 instance and modifying a specific security group, programmatically and in the console ([View this policy](reference_policies_examples_ec2_instance-securitygroup.md).)
+ Denies access to specific Amazon EC2 operations without MFA ([View this policy](reference_policies_examples_ec2_require-mfa.md).)
+ Limits terminating Amazon EC2 instances to a specific IP address range ([View this policy](reference_policies_examples_ec2_terminate-ip.md).)
## Example policies: AWS Identity and Access Management (IAM)
+ Allows access to the policy simulator API ([View this policy](reference_policies_examples_iam_policy-sim.md).)
+ Allows access to the policy simulator console ([View this policy](reference_policies_examples_iam_policy-sim-console.md).)
+ Allows assuming any roles that have a specific tag, programmatically and in the console ([View this policy](reference_policies_examples_iam-assume-tagged-role.md).)
+ Allows and denies access to multiple services, programmatically and in the console ([View this policy](reference_policies_examples_iam_multiple-services-console.md).)
+ Allows adding a specific tag to an IAM user with a different specific tag, programmatically and in the console ([View this policy](reference_policies_examples_iam-add-tag.md).)
+ Allows adding a specific tag to any IAM user or role, programmatically and in the console ([View this policy](reference_policies_examples_iam-add-tag-user-role.md).)
+ Allows creating a new user only with specific tags ([View this policy](reference_policies_examples_iam-new-user-tag.md).)
+ Allows generating and retrieving IAM credential reports ([View this policy](reference_policies_examples_iam-credential-report.md).)
+ Allows managing a group's membership, programmatically and in the console ([View this policy](reference_policies_examples_iam_manage-group-membership.md).)
+ Allows managing a specific tag ([View this policy](reference_policies_examples_iam-manage-tags.md).)
+ Allows passing an IAM role to a specific service ([View this policy](reference_policies_examples_iam-passrole-service.md).)
+ Allows read-only access to the IAM console without reporting ([View this policy](reference_policies_examples_iam_read-only-console-no-reporting.md).)
+ Allows read-only access to the IAM console ([View this policy](reference_policies_examples_iam_read-only-console.md).)
+ Allows specific users to manage a group, programmatically and in the console ([View this policy](reference_policies_examples_iam_users-manage-group.md).)
+ Allows setting the account password requirements, programmatically and in the console ([View this policy](reference_policies_examples_iam_set-account-pass-policy.md).)
+ Allows using the policy simulator API for users with a specific path ([View this policy](reference_policies_examples_iam_policy-sim-path.md).)
+ Allows using the policy simulator console for users with a specific path ([View this policy](reference_policies_examples_iam_policy-sim-path-console.md).)
+ Allows IAM users to self-manage an MFA device. ([View this policy](reference_policies_examples_iam_mfa-selfmanage.md).)
+ Allows IAM users to set their own credentials, programmatically and in the console. ([View this policy](reference_policies_examples_iam_credentials_console.md).)
+ Allows viewing service last accessed information for an AWS Organizations policy in the IAM console. ([View this policy](reference_policies_examples_iam_service-accessed-data-orgs.md).)
+ Limits managed policies that can be applied to an IAM user, group, or role ([View this policy](reference_policies_examples_iam_limit-managed.md).)
+ Allows access to IAM policies only in your account ([View this policy](resource_examples_iam_policies_resource_account.md).)
## Example policies: AWS Lambda
+ Allows an AWS Lambda function to access an Amazon DynamoDB table ([View this policy](reference_policies_examples_lambda-access-dynamodb.md).)
## Example policies: Amazon RDS
+ Allows full Amazon RDS database access within a specific Region. ([View this policy](reference_policies_examples_rds_region.md).)
+ Allows restoring Amazon RDS databases, programmatically and in the console ([View this policy](reference_policies_examples_rds_db-console.md).)
+ Allows tag owners full access to Amazon RDS resources that they have tagged ([View this policy](reference_policies_examples_rds_tag-owner.md).)
## Example policies: Amazon S3
+ Allows an Amazon Cognito user to access objects in their own Amazon S3 bucket ([View this policy](reference_policies_examples_s3_cognito-bucket.md).)
+ Allows a user with temporary credentials to access their own home directory in Amazon S3, programmatically and in the console ([View this policy](reference_policies_examples_s3_federated-home-directory-console.md).)
+ Allows full S3 access, but explicitly denies access to the Production bucket if the administrator has not signed in using MFA within the last thirty minutes ([View this policy](reference_policies_examples_s3_full-access-except-production.md).)
+ Allows IAM users to access their own home directory in Amazon S3, programmatically and in the console ([View this policy](reference_policies_examples_s3_home-directory-console.md).)
+ Allows a user to manage a single Amazon S3 bucket and denies every other AWS action and resource ([View this policy](reference_policies_examples_s3_deny-except-bucket.md).)
+ Allows `Read` and `Write` access to a specific Amazon S3 bucket ([View this policy](reference_policies_examples_s3_rw-bucket.md).)
+ Allows `Read` and `Write` access to a specific Amazon S3 bucket, programmatically and in the console ([View this policy](reference_policies_examples_s3_rw-bucket-console.md).)
# AWS: Allows access based on date and time
This example shows how you might create an identity-based policy that allows access to actions based on date and time. This policy restricts access to actions that occur between April 1, 2020 and June 30, 2020 (UTC), inclusive. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
To learn about using multiple conditions within the `Condition` block of an IAM policy, see [Multiple values in a condition](reference_policies_elements_condition.md#Condition-multiple-conditions).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "service-prefix:action-name",
"Resource": "*",
"Condition": {
"DateGreaterThan": {"aws:CurrentTime": "2020-04-01T00:00:00Z"},
"DateLessThan": {"aws:CurrentTime": "2020-06-30T23:59:59Z"}
}
}
]
}
```
------
**Note**
You cannot use a policy variable with the Date condition operator. To learn more see [Condition element](reference_policies_variables.md#policy-vars-conditionelement)
# AWS: Allows enabling and disabling AWS Regions
This example shows how you might create an identity-based policy that allows an administrator to enable and disable the Asia Pacific (Hong Kong) Region (ap-east-1). This policy defines permissions for programmatic and console access. This setting appears in the **Account settings** page in the AWS Management Console. This page includes sensitive account-level information that should be viewed and managed only by account administrators. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
**Important**
You cannot enable or disable regions that are enabled by default. You can only include regions that are *disabled* by default. For more information, see [Managing AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html) in the *AWS General Reference*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "EnableDisableHongKong",
"Effect": "Allow",
"Action": [
"account:EnableRegion",
"account:DisableRegion"
],
"Resource": "*",
"Condition": {
"StringEquals": {"account:TargetRegion": "ap-east-1"}
}
},
{
"Sid": "ViewConsole",
"Effect": "Allow",
"Action": [
"account:ListRegions"
],
"Resource": "*"
}
]
}
```
------
# AWS: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page
This example shows how you might create an identity-based policy that allows IAM users that are authenticated using [multi-factor authentication (MFA)](id_credentials_mfa.md) to manage their own credentials on the **Security credentials** page. This AWS Management Console page displays account information such as the account ID and canonical user ID. Users can also view and edit their own passwords, access keys, MFA devices, X.509 certificates, and SSH keys and Git credentials. This example policy includes the permissions required to view and edit all of the information on the page. It also requires the user to set up and authenticate using MFA before performing any other operations in AWS. To allow users to manage their own credentials without using MFA, see [AWS: Allows IAM users to manage their own credentials on the Security credentials page](reference_policies_examples_aws_my-sec-creds-self-manage-no-mfa.md).
To learn how users can access the **Security credentials** page, see [How IAM users change their own password (console)](id_credentials_passwords_user-change-own.md#ManagingUserPwdSelf-Console).
**Note**
This example policy does not allow users to reset a password while signing in to the AWS Management Console for the first time. We recommend that you do not grant permissions to new users until after they sign in. For more information, see [How do I securely create IAM users?](troubleshoot.md#troubleshoot_general_securely-create-iam-users). This also prevents users with an expired password from resetting their password during sign in. You can allow this by adding `iam:ChangePassword` and `iam:GetAccountPasswordPolicy` to the statement `DenyAllExceptListedIfNoMFA`. However, we do not recommend this because allowing users to change their password without MFA can be a security risk.
If you intend to use this policy for programmatic access you must call [https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html) to authenticate with MFA. For more information, see [Secure API access with MFA](id_credentials_mfa_configure-api-require.md).
**What does this policy do?**
+ The `AllowViewAccountInfo` statement allows the user to view account-level information. These permissions must be in their own statement because they do not support or do not need to specify a resource ARN. Instead the permissions specify `"Resource" : "*"`. This statement includes the following actions that allow the user to view specific information:
+ `GetAccountPasswordPolicy` – View the account password requirements while changing their own IAM user password.
+ `ListVirtualMFADevices` – View details about a virtual MFA device that is enabled for the user.
+ The `AllowManageOwnPasswords` statement allows the user to change their own password. This statement also includes the `GetUser` action, which is required to view most of the information on the **My security credentials** page.
+ The `AllowManageOwnAccessKeys` statement allows the user to create, update, and delete their own access keys. The user can also retrieve information about when the specified access key was last used.
+ The `AllowManageOwnSigningCertificates` statement allows the user to upload, update, and delete their own signing certificates.
+ The `AllowManageOwnSSHPublicKeys` statement allows the user to upload, update, and delete their own SSH public keys for CodeCommit.
+ The `AllowManageOwnGitCredentials` statement allows the user to create, update, and delete their own Git credentials for CodeCommit.
+ The `AllowManageOwnVirtualMFADevice` statement allows the user to create their own virtual MFA device. The resource ARN in this statement allows the user to create an MFA device with any name, but the other statements in the policy only allow the user to attach the device to the currently signed-in user.
+ The `AllowManageOwnUserMFA` statement allows the user to view or manage the virtual, U2F, or hardware MFA device for their own user. The resource ARN in this statement allows access to only the user's own IAM user. Users can't view or manage the MFA device for other users.
+ The `DenyAllExceptListedIfNoMFA` statement denies access to every action in all AWS services, except a few listed actions, but ***only if*** the user is not signed in with MFA. The statement uses a combination of `"Deny"` and `"NotAction"` to explicitly deny access to every action that is not listed. The items listed are not denied or allowed by this statement. However, the actions are allowed by other statements in the policy. For more information about the logic for this statement, see [NotAction with Deny](reference_policies_elements_notaction.md). If the user is signed in with MFA, then the `Condition` test fails and this statement does not deny any actions. In this case, other policies or statements for the user determine the user's permissions.
This statement ensures that when the user is not signed in with MFA that they can perform only the listed actions. In addition, they can perform the listed actions only if another statement or policy allows access to those actions. This does not allow a user to create a password at sign-in, because `iam:ChangePassword` action should not be allowed without MFA authorization.
The `...IfExists` version of the `Bool` operator ensures that if the `aws:MultiFactorAuthPresent` key is missing, the condition returns true. This means that a user accessing an API with long-term credentials, such as an access key, is denied access to the non-IAM API operations.
This policy does not allow users to view the **Users** page in the IAM console or use that page to access their own user information. To allow this, add the `iam:ListUsers` action to the `AllowViewAccountInfo` statement and the `DenyAllExceptListedIfNoMFA` statement. It also does not allow users to change their password on their own user page. To allow this, add the `iam:GetLoginProfile` and `iam:UpdateLoginProfile` actions to the `AllowManageOwnPasswords` statement. To also allow a user to change their password from their own user page without signing in using MFA, add the `iam:UpdateLoginProfile` action to the `DenyAllExceptListedIfNoMFA` statement.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:GetAccessKeyLastUsed"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/*"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:GetMFADevice",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
```
------
# AWS: Allows specific access using MFA within specific dates
This example shows how you might create an identity-based policy that uses multiple conditions, which are evaluated using a logical `AND`. It allows full access to the service named `SERVICE-NAME-1`, and access to the `ACTION-NAME-A` and `ACTION-NAME-B` actions in the service named `SERVICE-NAME-2`. These actions are allowed only when the user is authenticated using [multifactor authentication (MFA)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa.html). Access is restricted to actions that occur between July 1, 2017 and December 31, 2017 (UTC), inclusive. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
To learn about using multiple conditions within the `Condition` block of an IAM policy, see [Multiple values in a condition](reference_policies_elements_condition.md#Condition-multiple-conditions).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"service-prefix-1:*",
"service-prefix-2:action-name-a",
"service-prefix-2:action-name-b"
],
"Resource": "*",
"Condition": {
"Bool": {"aws:MultiFactorAuthPresent": true},
"DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"},
"DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"}
}
}
}
```
------
# AWS: Allows IAM users to manage their own credentials on the Security credentials page
This example shows how you might create an identity-based policy that allows IAM users to manage all of their own credentials on the **Security credentials** page. This AWS Management Console page displays account information such as the account ID and canonical user ID. Users can also view and edit their own passwords, access keys, X.509 certificates, SSH keys, and Git credentials. This example policy includes the permissions required to view and edit all information on the page *except* the user's MFA device. To allow users to manage their own credentials with MFA, see [AWS: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page](reference_policies_examples_aws_my-sec-creds-self-manage.md).
To learn how users can access the **Security credentials** page, see [How IAM users change their own password (console)](id_credentials_passwords_user-change-own.md#ManagingUserPwdSelf-Console).
**What does this policy do? **
+ The `AllowViewAccountInfo` statement allows the user to view account-level information. These permissions must be in their own statement because they do not support or do not need to specify a resource ARN. Instead the permissions specify `"Resource" : "*"`. This statement includes the following actions that allow the user to view specific information:
+ `GetAccountPasswordPolicy` – View the account password requirements while changing their own IAM user password.
+ `GetAccountSummary` – View the account ID and the account [canonical user ID](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html#FindingCanonicalId).
+ The `AllowManageOwnPasswords` statement allows the user to change their own password. This statement also includes the `GetUser` action, which is required to view most of the information on the **My security credentials** page.
+ The `AllowManageOwnAccessKeys` statement allows the user to create, update, and delete their own access keys. The user can also retrieve information about when the specified access key was last used.
+ The `AllowManageOwnSigningCertificates` statement allows the user to upload, update, and delete their own signing certificates.
+ The `AllowManageOwnSSHPublicKeys` statement allows the user to upload, update, and delete their own SSH public keys for CodeCommit.
+ The `AllowManageOwnGitCredentials` statement enables the user to create, update, and delete their own Git credentials for CodeCommit.
This policy does not allow users to view or manage their own MFA devices. They also cannot view the **Users** page in the IAM console or use that page to access their own user information. To allow this, add the `iam:ListUsers` action to the `AllowViewAccountInfo` statement. It also does not allow users to change their password on their own user page. To allow this, add the `iam:CreateLoginProfile`, `iam:DeleteLoginProfile`, `iam:GetLoginProfile`, and `iam:UpdateLoginProfile` actions to the `AllowManageOwnPasswords` statement.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:GetAccessKeyLastUsed"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
```
------
# AWS: Allows MFA-authenticated IAM users to manage their own MFA device on the Security credentials page
This example shows how you might create an identity-based policy that allows IAM users that are authenticated through [multi-factor authentication (MFA)](id_credentials_mfa.md) to manage their own MFA device on the **Security credentials** page. This AWS Management Console page displays account and user information, but the user can only view and edit their own MFA device. To allow users to manage all of their own credentials with MFA, see [AWS: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page](reference_policies_examples_aws_my-sec-creds-self-manage.md).
**Note**
If an IAM user with this policy is not MFA-authenticated, this policy denies access to all AWS actions except those necessary to authenticate using MFA. To use the AWS CLI and AWS API, IAM users must first retrieve their MFA token using the AWS STS [GetSessionToken](https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html) operation and then use that token to authenticate the desired operation. Other policies, such as resource-based policies or other identity-based policies can allow actions in other services. This policy will deny that access if the IAM user is not MFA-authenticated.
To learn how users can access the **Security credentials** page, see [How IAM users change their own password (console)](id_credentials_passwords_user-change-own.md#ManagingUserPwdSelf-Console).
**What does this policy do? **
+ The `AllowViewAccountInfo` statement allows the user to view details about a virtual MFA device that is enabled for the user. This permission must be in its own statement because it does not support specifying a resource ARN. Instead you must specify `"Resource" : "*"`.
+ The `AllowManageOwnVirtualMFADevice` statement allows the user to create their own virtual MFA device. The resource ARN in this statement allows the user to create an MFA device with any name, but the other statements in the policy only allow the user to attach the device to the currently signed-in user.
+ The `AllowManageOwnUserMFA` statement allows the user to view or manage their own virtual, U2F, or hardware MFA device. The resource ARN in this statement allows access to only the user's own IAM user. Users can't view or manage the MFA device for other users.
+ The `DenyAllExceptListedIfNoMFA` statement denies access to every action in all AWS services, except a few listed actions, but ***only if*** the user is not signed in with MFA. The statement uses a combination of `"Deny"` and `"NotAction"` to explicitly deny access to every action that is not listed. The items listed are not denied or allowed by this statement. However, the actions are allowed by other statements in the policy. For more information about the logic for this statement, see [NotAction with Deny](reference_policies_elements_notaction.md). If the user is signed in with MFA, then the `Condition` test fails and this statement does not deny any actions. In this case, other policies or statements for the user determine the user's permissions.
This statement ensures that when the user is not signed in with MFA, they can perform only the listed actions. In addition, they can perform the listed actions only if another statement or policy allows access to those actions.
The `...IfExists` version of the `Bool` operator ensures that if the `aws:MultiFactorAuthPresent` key is missing, the condition returns true. This means that a user accessing an API operation with long-term credentials, such as an access key, is denied access to the non-IAM API operations.
This policy does not allow users to view the **Users** page in the IAM console or use that page to access their own user information. To allow this, add the `iam:ListUsers` action to the `AllowViewAccountInfo` statement and the `DenyAllExceptListedIfNoMFA` statement.
**Warning**
Do not add permission to delete an MFA device without MFA authentication. Users with this policy might attempt to assign themselves a virtual MFA device and receive an error that they are not authorized to perform `iam:DeleteVirtualMFADevice`. If this happens, **do not** add that permission to the `DenyAllExceptListedIfNoMFA` statement. Users that are not authenticated using MFA should never be allowed to delete their MFA device. Users might see this error if they previously began assigning a virtual MFA device to their user and cancelled the process. To resolve this issue, you or another administrator must delete the user's existing virtual MFA device using the AWS CLI or AWS API. For more information, see [I am not authorized to perform: iam:DeleteVirtualMFADevice](troubleshoot.md#troubleshoot_general_access-denied-delete-mfa).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": "iam:ListVirtualMFADevices",
"Resource": "*"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/*"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:GetMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
}
}
]
}
```
------
# AWS: Allows IAM users to change their own console password on the Security credentials page
This example shows how you might create an identity-based policy that allows IAM users to change their own AWS Management Console password on the **Security credentials** page. This AWS Management Console page displays account and user information, but the user can only access their own password. To allow users to manage all of their own credentials with MFA, see [AWS: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page](reference_policies_examples_aws_my-sec-creds-self-manage.md). To allow users to manage their own credentials without using MFA, see [AWS: Allows IAM users to manage their own credentials on the Security credentials page](reference_policies_examples_aws_my-sec-creds-self-manage-no-mfa.md).
To learn how users can access the **Security credentials** page, see [How IAM users change their own password (console)](id_credentials_passwords_user-change-own.md#ManagingUserPwdSelf-Console).
**What does this policy do? **
+ The `ViewAccountPasswordRequirements` statement allows the user to view the account password requirements while changing their own IAM user password.
+ The `ChangeOwnPassword` statement allows the user to change their own password. This statement also includes the `GetUser` action, which is required to view most of the information on the **My security credentials** page.
This policy does not allow users to view the **Users** page in the IAM console or use that page to access their own user information. To allow this, add the `iam:ListUsers` action to the `ViewAccountPasswordRequirements` statement. It also does not allow users to change their password on their own user page. To allow this, add the `iam:GetLoginProfile` and `iam:UpdateLoginProfile` actions to the `ChangeOwnPasswords` statement.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ViewAccountPasswordRequirements",
"Effect": "Allow",
"Action": "iam:GetAccountPasswordPolicy",
"Resource": "*"
},
{
"Sid": "ChangeOwnPassword",
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:ChangePassword"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
```
------
# AWS: Allows IAM users to manage their own password, access keys, and SSH public keys on the Security credentials page
This example shows how you might create an identity-based policy that allows IAM users to manage their own password, access keys, and X.509 certificates on the **Security credentials** page. This AWS Management Console page displays account information such as the account ID and canonical user ID. Users can also view and edit their own passwords, access keys, MFA devices, X.509 certificates, SSH keys, and Git credentials. This example policy includes the permissions that are required to view and edit only their password, access keys, and X.509 certificate. To allow users to manage all of their own credentials with MFA, see [AWS: Allows MFA-authenticated IAM users to manage their own credentials on the Security credentials page](reference_policies_examples_aws_my-sec-creds-self-manage.md). To allow users to manage their own credentials without using MFA, see [AWS: Allows IAM users to manage their own credentials on the Security credentials page](reference_policies_examples_aws_my-sec-creds-self-manage-no-mfa.md).
To learn how users can access the **Security credentials** page, see [How IAM users change their own password (console)](id_credentials_passwords_user-change-own.md#ManagingUserPwdSelf-Console).
**What does this policy do? **
+ The `AllowViewAccountInfo` statement allows the user to view account-level information. These permissions must be in their own statement because they do not support or do not need to specify a resource ARN. Instead the permissions specify `"Resource" : "*"`. This statement includes the following actions that allow the user to view specific information:
+ `GetAccountPasswordPolicy` – View the account password requirements while changing their own IAM user password.
+ `GetAccountSummary` – View the account ID and the account [canonical user ID](https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html#FindingCanonicalId).
+ The `AllowManageOwnPasswords` statement allows the user to change their own password. This statement also includes the `GetUser` action, which is required to view most of the information on the **My security credentials** page.
+ The `AllowManageOwnAccessKeys` statement allows the user to create, update, and delete their own access keys. The user can also retrieve information about when the specified access key was last used.
+ The `AllowManageOwnSSHPublicKeys` statement allows the user to upload, update, and delete their own SSH public keys for CodeCommit.
This policy does not allow users to view or manage their own MFA devices. They also cannot view the **Users** page in the IAM console or use that page to access their own user information. To allow this, add the `iam:ListUsers` action to the `AllowViewAccountInfo` statement. It also does not allow users to change their password on their own user page. To allow this, add the `iam:GetLoginProfile` and `iam:UpdateLoginProfile` actions to the `AllowManageOwnPasswords` statement.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:GetAccessKeyLastUsed"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
```
------
# AWS: Denies access to AWS based on the requested Region
This example shows how you might create an identity-based policy that denies access to any actions outside the Regions specified using the [`aws:RequestedRegion` condition key](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion), except for actions in the services specified using `NotAction`. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
This policy uses the `NotAction` element with the `Deny` effect, which explicitly denies access to all of the actions *not* listed in the statement. Actions in the CloudFront, IAM, Route 53, and Support services should not be denied because these are popular AWS global services with a single endpoint that is physically located in the `us-east-1` Region. Because all requests to these services are made to the `us-east-1` Region, the requests would be denied without the `NotAction` element. Edit this element to include actions for other AWS global services that you use, such as `budgets`, `globalaccelerator`, `importexport`, `organizations`, or `waf`. Some other global services, such as Amazon Q Developer in chat applications and AWS Device Farm, are global services with endpoints that are physically located in the `us-west-2` region. To learn about all of the services that have a single global endpoint, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) in the *AWS General Reference*. For more information about using the `NotAction` element with the `Deny` effect, see [IAM JSON policy elements: NotAction](reference_policies_elements_notaction.md).
**Important**
This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyAllOutsideRequestedRegions",
"Effect": "Deny",
"NotAction": [
"cloudfront:*",
"iam:*",
"organizations:*",
"route53:*",
"support:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"eu-central-1",
"eu-west-1",
"eu-west-2",
"eu-west-3"
]
}
}
}
]
}
```
------
# AWS: Denies access to AWS based on the source IP
This example shows how you might create an identity-based policy that denies access to all AWS actions in the account when the request comes from *principals* outside the specified IP range. The policy is useful when the IP addresses for your company are within the specified ranges. In this example, the request will be denied unless it originates from the CIDR range 192.0.2.0/24 or 203.0.113.0/24. The policy does not deny requests made by AWS services using [Forward access sessions](access_forward_access_sessions.md) as the original requester’s IP address is preserved.
Be careful using negative conditions in the same policy statement as `"Effect": "Deny"`. When you do, the actions specified in the policy statement are explicitly denied in all conditions *except* for the ones specified.
**Important**
This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.
When other policies allow actions, principals can make requests from within the IP address range. An AWS service can also make requests using the principal's credentials. When a principal makes a request from outside the IP range, the request is denied.
For more information about using the `aws:SourceIp` condition key, including information about when `aws:SourceIp` may not work in your policy, see [AWS global condition context keys](reference_policies_condition-keys.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
}
}
}
}
```
------
# AWS: Deny access to Amazon S3 resources outside your account except AWS Data Exchange
This example shows how you might create an identity-based policy that denies access to all resources in AWS that don't belong to your account, except for the resources that AWS Data Exchange requires for normal operation. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
You can create a similar policy to restrict access to resources within an organization or an organizational unit, while accounting for AWS Data Exchange owned resources by using the condition keys `aws:ResourceOrgPaths` and `aws:ResourceOrgID`.
If you use AWS Data Exchange in your environment, the service creates and interacts with resources such as Amazon S3 buckets owned by the service account. For example, AWS Data Exchange sends requests to Amazon S3 buckets owned by the AWS Data Exchange service on behalf of the IAM principal (user or role) invoking the AWS Data Exchange APIs. In that case, using `aws:ResourceAccount`, `aws:ResourceOrgPaths`, or `aws:ResourceOrgID` in a policy, without accounting for AWS Data Exchange owned resources, denies access to the buckets owned by the service account.
+ The statement, `DenyAllAwsResourcesOutsideAccountExceptS3`, uses the `NotAction` element with the [Deny](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_effect.html) effect which explicitly denies access to every action not listed in the statement that also do not belong to the listed account. The `NotAction` element indicates the exceptions to this statement. These actions are the exception to this statement because if the actions are performed on resources created by AWS Data Exchange, the policy denies them.
+ The statement, `DenyAllS3ResoucesOutsideAccountExceptDataExchange`, uses a combination of the `ResourceAccount` and `CalledVia` conditions to deny access to the three Amazon S3 actions excluded in the previous statement. The statement denies the actions if resources do not belong in the listed account and if the calling service is not AWS Data Exchange. The statement does not deny the actions if either the resource belongs to the listed account or the listed service principal, `dataexchange.amazonaws.com`, performs the operations.
**Important**
This policy does not allow any actions. It uses the `Deny` effect which explicitly denies access to all of the resources listed in the statement that do not belong to the listed account. Use this policy in combination with other policies that allow access to specific resources.
The following example shows how you can configure the policy to allow access to the required Amazon S3 buckets.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "DenyAllAwsReourcesOutsideAccountExceptAmazonS3",
"Effect": "Deny",
"NotAction": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:ResourceAccount": [
"111122223333"
]
}
}
},
{
"Sid": "DenyAllS3ResourcesOutsideAccountExceptDataExchange",
"Effect": "Deny",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:ResourceAccount": [
"111122223333"
]
},
"ForAllValues:StringNotEquals": {
"aws:CalledVia": [
"dataexchange.amazonaws.com"
]
}
}
}
]
}
```
------
# AWS Data Pipeline: Denies access to DataPipeline pipelines that a user did not create
This example shows how you might create an identity-based policy that denies access to pipelines that a user did not create. If the value of the `PipelineCreator` field matches the IAM user name, then the specified actions are not denied. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI.
**Important**
This policy does not allow any actions. Use this policy in combination with other policies that allow specific actions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ExplicitDenyIfNotTheOwner",
"Effect": "Deny",
"Action": [
"datapipeline:ActivatePipeline",
"datapipeline:AddTags",
"datapipeline:DeactivatePipeline",
"datapipeline:DeletePipeline",
"datapipeline:DescribeObjects",
"datapipeline:EvaluateExpression",
"datapipeline:GetPipelineDefinition",
"datapipeline:PollForTask",
"datapipeline:PutPipelineDefinition",
"datapipeline:QueryObjects",
"datapipeline:RemoveTags",
"datapipeline:ReportTaskProgress",
"datapipeline:ReportTaskRunnerHeartbeat",
"datapipeline:SetStatus",
"datapipeline:SetTaskStatus",
"datapipeline:ValidatePipelineDefinition"
],
"Resource": ["*"],
"Condition": {
"StringNotEquals": {"datapipeline:PipelineCreator": "${aws:userid}"}
}
}
]
}
```
------
# Amazon DynamoDB: Allows access to a specific table
This example shows how you might create an identity-based policy that allows full access to the `MyTable` DynamoDB table. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
**Important**
This policy allows all actions that can be performed on a DynamoDB table. To review these actions, see [DynamoDB API Permissions: Actions, Resources, and Conditions Reference](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/api-permissions-reference.html) in the* Amazon DynamoDB Developer Guide*. You could provide the same permissions by listing each individual action. However, if you use the wildcard (`*`) in the `Action` element, such as `"dynamodb:List*"`, then you don't have to update your policy if DynamoDB adds a new List action.
This policy allows actions only on DynamoDB tables that exist with the specified name. To allow your users `Read` access to everything in DynamoDB, you can also attach the [AmazonDynamoDBReadOnlyAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess) AWS managed policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListAndDescribe",
"Effect": "Allow",
"Action": [
"dynamodb:List*",
"dynamodb:DescribeReservedCapacity*",
"dynamodb:DescribeLimits",
"dynamodb:DescribeTimeToLive"
],
"Resource": "*"
},
{
"Sid": "SpecificTable",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGet*",
"dynamodb:DescribeStream",
"dynamodb:DescribeTable",
"dynamodb:Get*",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWrite*",
"dynamodb:CreateTable",
"dynamodb:Delete*",
"dynamodb:Update*",
"dynamodb:PutItem"
],
"Resource": "arn:aws:dynamodb:*:*:table/MyTable"
}
]
}
```
------
# Amazon DynamoDB: Allows access to specific attributes
This example shows how you might create an identity-based policy that allows access to the specific DynamoDB attributes. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
The `dynamodb:Select` requirement prevents the API action from returning any attributes that aren't allowed, such as from an index projection. To learn more about DynamoDB condition keys, see [Specifying Conditions: Using Condition Keys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys) in the* Amazon DynamoDB Developer Guide*. To learn about using multiple conditions or multiple condition keys within the `Condition` block of an IAM policy, see [Multiple values in a condition](reference_policies_elements_condition.md#Condition-multiple-conditions).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": ["arn:aws:dynamodb:*:*:table/table-name"],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": [
"column-name-1",
"column-name-2",
"column-name-3"
]
},
"StringEqualsIfExists": {"dynamodb:Select": "SPECIFIC_ATTRIBUTES"}
}
}
]
}
```
------
# Amazon DynamoDB: Allows item-level access to DynamoDB based on an Amazon Cognito ID
This example shows how you might create an identity-based policy that allows item-level access to the `MyTable` DynamoDB table based on an Amazon Cognito identity pool user ID. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
To use this policy, you must structure your DynamoDB table so the Amazon Cognito identity pool user ID is the partition key. For more information, see [Creating a Table](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/WorkingWithTables.Basics.html#WorkingWithTables.Basics.CreateTable) in the *Amazon DynamoDB Developer Guide*.
To learn more about DynamoDB condition keys, see [Specifying Conditions: Using Condition Keys](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html#FGAC_DDB.ConditionKeys) in the* Amazon DynamoDB Developer Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": ["arn:aws:dynamodb:*:*:table/MyTable"],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": ["${cognito-identity.amazonaws.com:sub}"]
}
}
}
]
}
```
------
# Amazon EC2: Attach or detach Amazon EBS volumes to EC2 instances based on tags
This example shows how you might create an identity-based policy that allows EBS volume owners to attach or detach their EBS volumes defined using the tag `VolumeUser` to EC2 instances that are tagged as development instances (`Department=Development`). This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
For more information about creating IAM policies to control access to Amazon EC2 resources, see [Controlling Access to Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UsingIAM.html) in the *Amazon EC2 User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {"aws:ResourceTag/Department": "Development"}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"StringEquals": {"aws:ResourceTag/VolumeUser": "${aws:username}"}
}
}
]
}
```
------
# Amazon EC2: Allows launching EC2 instances in a specific subnet, programmatically and in the console
This example shows how you might create an identity-based policy that allows listing information for all EC2 objects and launching EC2 instances in a specific subnet. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:GetConsole*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:subnet/subnet-subnet-id",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::image/ami-*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:security-group/*"
]
}
]
}
```
------
# Amazon EC2: Allows managing EC2 security groups with a specific tag key-value pair programmatically and in the console
This example shows how you might create an identity-based policy that grants users permission to take certain actions for security groups that have the same tag. This policy grants permissions to view security groups in the Amazon EC2 console, add and remove inbound and outbound rules, and list and modify rule descriptions for existing security groups with the tag `Department=Test`. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupEgress",
"ec2:ModifySecurityGroupRules",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/Department": "Test"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifySecurityGroupRules"
],
"Resource": [
"arn:aws:ec2:us-east-1:111122223333:security-group-rule/*"
]
}
]
}
```
------
# Amazon EC2: Allows starting or stopping EC2 instances a user has tagged, programmatically and in the console
This example shows how you might create an identity-based policy that allows an IAM user to start or stop EC2 instances, but only if the instance tag `Owner` has the value of that user's user name. This policy defines permissions for programmatic and console access.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Owner": "${aws:username}"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}
]
}
```
------
# EC2: Start or stop instances based on tags
This example shows how you might create an identity-based policy that allows starting or stopping instances with the tag key–value pair `Project = DataAnalytics`, but only by principals with the tag key–value pair `Department = Data`. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
The condition in the policy returns true if both parts of the condition are true. The instance must have the `Project=DataAnalytics` tag. In addition, the IAM principal (user or role) making the request must have the `Department=Data` tag.
**Note**
As a best practice, attach policies with the `aws:PrincipalTag` condition key to IAM groups, for the case where some users might have the specified tag and some might not.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "StartStopIfTags",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Project": "DataAnalytics",
"aws:PrincipalTag/Department": "Data"
}
}
}
]
}
```
------
# EC2: Start or stop instances based on matching principal and resource tags
This example shows how you might create an identity-based policy that allows a principal to start or stop an Amazon EC2 instance when the instance's resource tag and the principal's tag have the same value for the tag key `CostCenter`. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
**Note**
As a best practice, attach policies with the `aws:PrincipalTag` condition key to IAM groups, for the case where some users might have the specified tag and some might not.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:startInstances",
"ec2:stopInstances"
],
"Resource": "*",
"Condition": {"StringEquals":
{"aws:ResourceTag/CostCenter": "${aws:PrincipalTag/CostCenter}"}}
}
}
```
------
# Amazon EC2: Allows full EC2 access within a specific Region, programmatically and in the console
This example shows how you might create an identity-based policy that allows full EC2 access within a specific Region. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md). For a list of Region codes, see [Available Regions](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) in the *Amazon EC2 User Guide*.
Alternatively, you can use the global condition key [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requestedregion), which is supported by all Amazon EC2 API actions. For more information, see [Example: Restricting access to a specific Region](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ExamplePolicies_EC2.html#iam-example-region) in the *Amazon EC2 User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-2"
}
}
}
]
}
```
------
# Amazon EC2: Allows starting or stopping an EC2 instance and modifying a security group, programmatically and in the console
This example shows how you might create an identity-based policy that allows starting or stopping a specific EC2 instance and modifying a specific security group. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeStaleSecurityGroups"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/i-instance-id",
"arn:aws:ec2:*:*:security-group/sg-security-group-id"
],
"Effect": "Allow"
}
]
}
```
------
# Amazon EC2: Requires MFA (GetSessionToken) for specific EC2 operations
This example shows how you might create an identity-based policy that allows full access to all AWS API operations in Amazon EC2. However, it explicitly denies access to `StopInstances` and `TerminateInstances` API operations if the user is not authenticated using [multi-factor authentication (MFA)](id_credentials_mfa.md). To do this programmatically, the user must include optional `SerialNumber` and `TokenCode` values while calling the `GetSessionToken` operation. This operation returns temporary credentials that were authenticated using MFA. To learn more about GetSessionToken, see [Requesting credentials for users in untrusted environments](id_credentials_temp_request.md#api_getsessiontoken).
What does this policy do?
+ The `AllowAllActionsForEC2` statement allows all Amazon EC2 actions.
+ The `DenyStopAndTerminateWhenMFAIsNotPresent` statement denies the `StopInstances` and `TerminateInstances` actions when the MFA context is missing. This means that the actions are denied when the multi-factor authentication context is missing (meaning MFA was not used). A deny overrides the allow.
**Note**
The condition check for `MultiFactorAuthPresent` in the `Deny` statement should not be a `{"Bool":{"aws:MultiFactorAuthPresent":false}}` because that key is not present and cannot be evaluated when MFA is not used. So instead, use the `BoolIfExists` check to see whether the key is present before checking the value. For more information, see [...IfExists condition operators](reference_policies_elements_condition_operators.md#Conditions_IfExists).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAllActionsForEC2",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Sid": "DenyStopAndTerminateWhenMFAIsNotPresent",
"Effect": "Deny",
"Action": [
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {"aws:MultiFactorAuthPresent": false}
}
}
]
}
```
------
# Amazon EC2: Limits terminating EC2 instances to an IP address range
This example shows how you might create an identity-based policy that limits EC2 instances by allowing the action, but explicitly denying access when the request comes from outside the specified IP range. The policy is useful when the IP addresses for your company are within the specified ranges. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
If this policy is used in combination with other policies that allow the `ec2:TerminateInstances` action (such as the [AmazonEC2FullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEC2FullAccess) AWS managed policy), then access is denied. This is because an explicit deny statement takes precedence over allow statements. For more information, see [How AWS enforcement code logic evaluates requests to allow or deny access](reference_policies_evaluation-logic_policy-eval-denyallow.md).
**Important**
The `aws:SourceIp` condition key denies access to an AWS service, such as AWS CloudFormation, that makes calls on your behalf. For more information about using the `aws:SourceIp` condition key, see [AWS global condition context keys](reference_policies_condition-keys.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:TerminateInstances"],
"Resource": ["*"]
},
{
"Effect": "Deny",
"Action": ["ec2:TerminateInstances"],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"192.0.2.0/24",
"203.0.113.0/24"
]
}
},
"Resource": ["*"]
}
]
}
```
------
# IAM: Access the policy simulator API
This example shows how you might create an identity-based policy that allows using the policy simulator API for policies attached to a user, group, or role in the current AWS account. This policy also allows access to simulate less sensitive policies passed to the API as strings. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:GetContextKeysForCustomPolicy",
"iam:GetContextKeysForPrincipalPolicy",
"iam:SimulateCustomPolicy",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
**Note**
To allow a user to access the policy simulator console to simulate policies attached to a user, group, or role in the current AWS account, see [IAM: Access the policy simulator console](reference_policies_examples_iam_policy-sim-console.md).
# IAM: Access the policy simulator console
This example shows how you might create an identity-based policy that allows using the policy simulator console for policies attached to a user, group, or role in the current AWS account. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI.
You can access the IAM Policy Simulator console at: [https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:GetGroup",
"iam:GetGroupPolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroups",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUsers"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
# IAM: Assume roles that have a specific tag
This example shows how you might create an identity-based policy that allows an IAM user to assume roles with the tag key-value pair `Project = ExampleCorpABC`. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
If a role with this tag exists in the same account as the user, then the user can assume that role. If a role with this tag exists in an account other than the user's, it requires additional permissions. The cross-account role's trust policy must also allow the user or all members of the user's account to assume the role. For information about using roles for cross-account access, see [Access for an IAM user in another AWS account that you own](id_roles_common-scenarios_aws-accounts.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AssumeTaggedRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*",
"Condition": {
"StringEquals": {"iam:ResourceTag/Project": "ExampleCorpABC"}
}
}
]
}
```
------
# IAM: Allows and denies access to multiple services programmatically and in the console
This example shows how you might create an identity-based policy that allows full access to several services and limited self-managing access in IAM. It also denies access to the Amazon S3 `logs` bucket or the Amazon EC2 `i-1234567890abcdef0` instance. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
**Warning**
This policy allows full access to every action and resource in multiple services. This policy should be applied only to trusted administrators.
You can use this policy as a permissions boundary to define the maximum permissions that an identity-based policy can grant to an IAM user. For more information, see [Delegating responsibility to others using permissions boundaries](access_policies_boundaries.md#access_policies_boundaries-delegate). When the policy is used as a permissions boundary for a user, the statements define the following boundaries:
+ The `AllowServices` statement allows full access to the specified AWS services. This means that the user's actions in these services are limited only by the permissions policies that are attached to the user.
+ The `AllowIAMConsoleForCredentials` statement allows access to list all IAM users. This access is necessary to navigate the **Users** page in the AWS Management Console. It also allows viewing the password requirements for the account, which is necessary for the user to change their own password.
+ The `AllowManageOwnPasswordAndAccessKeys` statement allows the users manage only their own console password and programmatic access keys. This is important because if another policy gives a user full IAM access, that user could then change their own or other users' permissions. This statement prevents that from happening.
+ The `DenyS3Logs` statement explicitly denies access to the `logs` bucket. This policy enforces company restrictions on the user.
+ The `DenyEC2Production` statement explicitly denies access to the `i-1234567890abcdef0` instance.
This policy does not allow access to other services or actions. When the policy is used as a permissions boundary on a user, even if other policies attached to the user allow those actions, AWS denies the request.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowServices",
"Effect": "Allow",
"Action": [
"s3:*",
"cloudwatch:*",
"ec2:*"
],
"Resource": "*"
},
{
"Sid": "AllowIAMConsoleForCredentials",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswordAndAccessKeys",
"Effect": "Allow",
"Action": [
"iam:*AccessKey*",
"iam:ChangePassword",
"iam:GetUser",
"iam:*LoginProfile*"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
},
{
"Sid": "DenyS3Logs",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::logs",
"arn:aws:s3:::logs/*"
]
},
{
"Sid": "DenyEC2Production",
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "arn:aws:ec2:*:*:instance/i-1234567890abcdef0"
}
]
}
```
------
# IAM: Add a specific tag to a user with a specific tag
This example shows how you might create an identity-based policy that allows adding the tag key `Department` with the tag values `Marketing`, `Development`, or `QualityAssurance` to an IAM user. That user must already include the tag key–value pair `JobFunction = manager`. You can use this policy to require that a manager belong to only one of three departments. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
The `ListTagsForAllUsers` statement allows the viewing of tags for all users in your account.
The first condition in the `TagManagerWithSpecificDepartment` statement uses the `StringEquals` condition operator. The condition returns true if both parts of the condition are true. The user to be tagged must already have the `JobFunction=Manager` tag. The request must include the `Department` tag key with one of the listed tag values.
The second condition uses the `ForAllValues:StringEquals` condition operator. The condition returns true if all of the tag keys in the request match the key in the policy. This means that the only tag key in the request must be `Department`. For more information about using `ForAllValues`, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListTagsForAllUsers",
"Effect": "Allow",
"Action": [
"iam:ListUserTags",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "TagManagerWithSpecificDepartment",
"Effect": "Allow",
"Action": "iam:TagUser",
"Resource": "*",
"Condition": {"StringEquals": {
"iam:ResourceTag/JobFunction": "Manager",
"aws:RequestTag/Department": [
"Marketing",
"Development",
"QualityAssurance"
]
},
"ForAllValues:StringEquals": {"aws:TagKeys": "Department"}
}
}
]
}
```
------
# IAM: Add a specific tag with specific values
This example shows how you might create an identity-based policy that allows adding only the tag key `CostCenter` and either the tag value `A-123` or the tag value `B-456` to any IAM user or role. You can use this policy to limit tagging to a specific tag key and set of tag values. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
The `ConsoleDisplay` statement allows the viewing of tags for all users and roles in your account.
The first condition in the `AddTag` statement uses the `StringEquals` condition operator. The condition returns true if the request includes the `CostCenter` tag key with one of the listed tag values.
The second condition uses the `ForAllValues:StringEquals` condition operator. The condition returns true if all of the tag keys in the request match the key in the policy. This means that the only tag key in the request must be `CostCenter`. For more information about using `ForAllValues`, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ConsoleDisplay",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:GetUser",
"iam:ListRoles",
"iam:ListRoleTags",
"iam:ListUsers",
"iam:ListUserTags"
],
"Resource": "*"
},
{
"Sid": "AddTag",
"Effect": "Allow",
"Action": [
"iam:TagUser",
"iam:TagRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/CostCenter": [
"A-123",
"B-456"
]
},
"ForAllValues:StringEquals": {"aws:TagKeys": "CostCenter"}
}
}
]
}
```
------
# IAM: Create new users only with specific tags
This example shows how you might create an identity-based policy that allows the creation of IAM users but only with one or both of the `Department` and `JobFunction` tag keys. The `Department` tag key must have either the `Development` or `QualityAssurance` tag value. The `JobFunction` tag key must have the `Employee` tag value. You can use this policy to require that new users have a specific job function and department. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
The first condition in the statement uses the `StringEqualsIfExists` condition operator. If a tag with the `Department` or `JobFunction` key is present in the request, then the tag must have the specified value. If neither key is present, then this condition is evaluated as true. The only way that the condition evaluates as false is if one of the specified condition keys is present in the request, but has a different value than those allowed. For more information about using `IfExists`, see [...IfExists condition operators](reference_policies_elements_condition_operators.md#Conditions_IfExists).
The second condition uses the `ForAllValues:StringEquals` condition operator. The condition returns true if there's a match between every one of the specified tag keys specified in the request, and at least one value in the policy. This means that all of the tags in the request must be in this list. However, the request can include only one of the tags in the list. For example, you can create an IAM user with only the `Department=QualityAssurance` tag. However, you cannot create an IAM user with the `JobFunction=employee` tag and the `Project=core` tag. For more information about using `ForAllValues`, see [Set operators for multivalued context keys](reference_policies_condition-single-vs-multi-valued-context-keys.md#reference_policies_condition-multi-valued-context-keys).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "TagUsersWithOnlyTheseTags",
"Effect": "Allow",
"Action": [
"iam:CreateUser",
"iam:TagUser"
],
"Resource": "*",
"Condition": {
"StringEqualsIfExists": {
"aws:RequestTag/Department": [
"Development",
"QualityAssurance"
],
"aws:RequestTag/JobFunction": "Employee"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"Department",
"JobFunction"
]
}
}
}
]
}
```
------
# IAM: Generate and retrieve IAM credential reports
This example shows how you might create an identity-based policy that allows users to generate and download a report that lists all IAM users in their AWS account. The report includes the status of the users' credentials, including passwords, access keys, MFA devices, and signing certificates. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI.
For more information about credential reports, see [Generate credential reports for your AWS account](id_credentials_getting-report.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:GenerateCredentialReport",
"iam:GetCredentialReport"
],
"Resource": "*"
}
}
```
------
# IAM: Allows managing a group's membership programmatically and in the console
This example shows how you might create an identity-based policy that allows updating the membership of the group called `MarketingTeam`. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
What does this policy do?
+ The `ViewGroups` statement allows the user to list all the users and groups in the AWS Management Console. It also allows the user to view basic information about the users in the account. These permissions must be in their own statement because they do not support or do not need to specify a resource ARN. Instead the permissions specify `"Resource" : "*"`.
+ The `ViewEditThisGroup` statement allows the user to view information about the `MarketingTeam` group, and to add and remove users from that group.
This policy does not allow the user to view or edit the permissions of the users or the `MarketingTeam` group.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ViewGroups",
"Effect": "Allow",
"Action": [
"iam:ListGroups",
"iam:ListUsers",
"iam:GetUser",
"iam:ListGroupsForUser"
],
"Resource": "*"
},
{
"Sid": "ViewEditThisGroup",
"Effect": "Allow",
"Action": [
"iam:AddUserToGroup",
"iam:RemoveUserFromGroup",
"iam:GetGroup"
],
"Resource": "arn:aws:iam::*:group/MarketingTeam"
}
]
}
```
------
# IAM: Manage a specific tag
This example shows how you might create an identity-based policy that allows adding and removing the IAM tag with the tag key `Department` from IAM entities (users and roles). This policy does not limit the value of the `Department` tag. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:TagUser",
"iam:TagRole",
"iam:UntagUser",
"iam:UntagRole"
],
"Resource": "*",
"Condition": {"ForAllValues:StringEquals": {"aws:TagKeys": "Department"}}
}
}
```
------
# IAM: Pass an IAM role to a specific AWS service
This example shows how you might create an identity-based policy that allows passing any IAM service role to the Amazon CloudWatch service. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
A service role is an IAM role that specifies an AWS service as the principal that can assume the role. This allows the service to assume the role and access resources in other services on your behalf. To allow Amazon CloudWatch to assume the role that you pass, you must specify the `cloudwatch.amazonaws.com` service principal as the principal in the trust policy of your role. The service principal is defined by the service. To learn the service principal for a service, see the documentation for that service. For some services, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service. Search for `amazonaws.com` to view the service principal.
To learn more about passing a service role to a service, see [Grant a user permissions to pass a role to an AWS service](id_roles_use_passrole.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {"iam:PassedToService": "cloudwatch.amazonaws.com"}
}
}
]
}
```
------
# IAM: Allows read-only access to the IAM console without reporting
This example shows how you might create an identity-based policy that allows IAM users to perform any IAM action that begins with the string `Get` or `List`. As users work with the console, the console makes requests to IAM to list groups, users, roles, and policies, and to generate reports about those resources.
The asterisk acts as a wildcard. When you use `iam:Get*` in a policy, the resulting permissions include all IAM actions that begin with `Get`, such as `GetUser` and `GetRole`. Wildcards are useful if new types of entities are added to IAM in the future. In that case, the permissions granted by the policy automatically allow the user to list and get the details about those new entities.
This policy cannot be used to generate reports or service last accessed details. For a different policy that allows this, see [IAM: Allows read-only access to the IAM console](reference_policies_examples_iam_read-only-console.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*"
],
"Resource": "*"
}
}
```
------
# IAM: Allows read-only access to the IAM console
This example shows how you might create an identity-based policy that allows IAM users to perform any IAM action that begins with the string `Get`, `List`, or `Generate`. As users work with the IAM console, the console makes requests to list groups, users, roles, and policies, and to generate reports about those resources.
The asterisk acts as a wildcard. When you use `iam:Get*` in a policy, the resulting permissions include all IAM actions that begin with `Get`, such as `GetUser` and `GetRole`. Using a wildcard is beneficial, especially if new types of entities are added to IAM in the future. In that case, the permissions granted by the policy automatically allow the user to list and get the details about those new entities.
Use this policy for console access that includes permissions to generate reports or service last accessed details. For a different policy that does not allow generating actions, see [IAM: Allows read-only access to the IAM console without reporting](reference_policies_examples_iam_read-only-console-no-reporting.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*",
"iam:Generate*"
],
"Resource": "*"
}
}
```
------
# IAM: Allows specific IAM users to manage a group programmatically and in the console
This example shows how you might create an identity-based policy that allows specific IAM users to manage the `AllUsers` group. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
What does this policy do?
+ The `AllowAllUsersToListAllGroups` statement allows listing all groups. This is necessary for console access. This permission must be in its own statement because it does not support a resource ARN. Instead the permissions specify `"Resource" : "*"`.
+ The `AllowAllUsersToViewAndManageThisGroup` statement allows all group actions that can be performed on the group resource type. It does not allow the `ListGroupsForUser` action, which can be performed on a user resource type and not a group resource type. For more information about the resource types that you can specify for an IAM action, see [Actions, Resources, and Condition Keys for AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html#identityandaccessmanagement-actions-as-permissions).
+ The `LimitGroupManagementAccessToSpecificUsers` statement denies users with the specified names access to write and permissions management group actions. When a user specified in the policy attempts to make changes to the group, this statement does not deny the request. That request is allowed by the `AllowAllUsersToViewAndManageThisGroup` statement. If other users attempt to perform these operations, the request is denied. You can view the IAM actions that are defined with the **Write** or **Permissions management** access levels while creating this policy in the IAM console. To do this, switch from the **JSON** tab to the **Visual editor** tab. For more information about access levels. see [Actions, Resources, and Condition Keys for AWS Identity and Access Management](https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html#identityandaccessmanagement-actions-as-permissions).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAllGroups",
"Effect": "Allow",
"Action": "iam:ListGroups",
"Resource": "*"
},
{
"Sid": "AllowAllUsersToViewAndManageThisGroup",
"Effect": "Allow",
"Action": "iam:*Group*",
"Resource": "arn:aws:iam::*:group/AllUsers"
},
{
"Sid": "LimitGroupManagementAccessToSpecificUsers",
"Effect": "Deny",
"Action": [
"iam:AddUserToGroup",
"iam:CreateGroup",
"iam:RemoveUserFromGroup",
"iam:DeleteGroup",
"iam:AttachGroupPolicy",
"iam:UpdateGroup",
"iam:DetachGroupPolicy",
"iam:DeleteGroupPolicy",
"iam:PutGroupPolicy"
],
"Resource": "arn:aws:iam::*:group/AllUsers",
"Condition": {
"StringNotEquals": {
"aws:username": [
"srodriguez",
"mjackson",
"adesai"
]
}
}
}
]
}
```
------
# IAM: Allows setting the account password requirements programmatically and in the console
This example shows how you might create an identity-based policy that allows a user to view and update their account's password requirements. The password requirements specify the complexity requirements and mandatory rotation periods for the account members' passwords. This policy defines permissions for programmatic and console access.
To learn how to set the account password requirements policy for your account, see [Set an account password policy for IAM users](id_credentials_passwords_account-policy.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy"
],
"Resource": "*"
}
}
```
------
# IAM: Access the policy simulator API based on user path
This example shows how you might create an identity-based policy that allows using the policy simulator API only for those users that have the path `Department/Development`. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:GetContextKeysForPrincipalPolicy",
"iam:SimulatePrincipalPolicy"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/Department/Development/*"
}
]
}
```
------
**Note**
To create a policy that allows using the policy simulator console for those users that have the path `Department/Development`, see [IAM: Access the policy simulator console based on user path](reference_policies_examples_iam_policy-sim-path-console.md).
# IAM: Access the policy simulator console based on user path
This example shows how you might create an identity-based policy that allows using the policy simulator console only for those users that have the path `Department/Development`. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
You can access the IAM Policy Simulator at: [https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/)
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"iam:GetPolicy",
"iam:GetUserPolicy"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:GetUser",
"iam:ListAttachedUserPolicies",
"iam:ListGroupsForUser",
"iam:ListUserPolicies",
"iam:ListUsers"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::*:user/Department/Development/*"
}
]
}
```
------
# IAM: Allows IAM users to self-manage an MFA device
This example shows how you might create an identity-based policy that allows IAM users to self-manage their [multi-factor authentication (MFA)](id_credentials_mfa.md) device. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI.
**Note**
If an IAM user with this policy is not MFA-authenticated, this policy denies access to all AWS actions except those necessary to authenticate using MFA. If you add these permissions for a user that is signed in to AWS, they might need to sign out and back in to see these changes.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowListActions",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListVirtualMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowUserToCreateVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/*"
},
{
"Sid": "AllowUserToManageTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:EnableMFADevice",
"iam:GetMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowUserToDeactivateTheirOwnMFAOnlyWhenUsingMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
```
------
# IAM: Allows IAM users to update their own credentials programmatically and in the console
This example shows how you might create an identity-based policy that allows IAM users to update their own access keys, signing certificates, service specific credentials, and passwords. This policy defines permissions for programmatic and console access.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:GetAccountPasswordPolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:*AccessKey*",
"iam:ChangePassword",
"iam:GetUser",
"iam:*ServiceSpecificCredential*",
"iam:*SigningCertificate*"
],
"Resource": ["arn:aws:iam::*:user/${aws:username}"]
}
]
}
```
------
To learn how a user can change their own password in the console, see [How an IAM user changes their own password](id_credentials_passwords_user-change-own.md).
# IAM: View service last accessed information for an AWS Organizations policy
This example shows how you might create an identity-based policy that allows viewing service last accessed information for a specific AWS Organizations policy. This policy allows retrieving data for the service control policy (SCP) with the `p-policy123` ID. The person who generates and views the report must be authenticated using AWS Organizations management account credentials. This policy allows the requester to retrieve the data for any AWS Organizations entity in their organization. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
For important information about last accessed information, including permissions required, troubleshooting, and supported Regions, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowOrgsReadOnlyAndIamGetReport",
"Effect": "Allow",
"Action": [
"iam:GetOrganizationsAccessReport",
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
},
{
"Sid": "AllowGenerateReportOnlyForThePolicy",
"Effect": "Allow",
"Action": "iam:GenerateOrganizationsAccessReport",
"Resource": "*",
"Condition": {
"StringEquals": {"iam:OrganizationsPolicyId": "p-policy123"}
}
}
]
}
```
------
# IAM: Limits managed policies that can be applied to an IAM user, group, or role
This example shows how you might create an identity-based policy that limits customer managed and AWS managed policies that can be applied to an IAM user, group, or role. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:AttachUserPolicy",
"iam:DetachUserPolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyARN": [
"arn:aws:iam::*:policy/policy-name-1",
"arn:aws:iam::*:policy/policy-name-2"
]
}
}
}
}
```
------
# AWS: Deny access to resources outside your account except AWS managed IAM policies
Using `aws:ResourceAccount` in your identity-based policies can impact the user or the role's ability to utilize some services that require interaction with resources in accounts owned by a service.
You can create a policy with an exception to allow for AWS managed IAM policies. A service-managed account outside of your AWS Organizations owns Managed IAM Policies. There are four IAM actions that list and retrieve AWS-managed policies. Use these actions in the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html) element of the statement. `AllowAccessToResourcesInSpecificAccountsAndSpecificService1` in the policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToResourcesInSpecificAccountsAndSpecificService1",
"Effect": "Deny",
"NotAction": [
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListEntitiesForPolicy",
"iam:ListPolicies"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:ResourceAccount": [
"111122223333"
]
}
}
}
]
}
```
------
# AWS Lambda: Allows a Lambda function to access an Amazon DynamoDB table
This example shows how you might create an identity-based policy that allows read and write access to a specific Amazon DynamoDB table. The policy also allows writing log files to CloudWatch Logs. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
To use this policy, attach the policy to a Lambda [service role](id_roles_create_for-service.md). A service role is a role that you create in your account to allow a service to perform actions on your behalf. That service role must include AWS Lambda as the principal in the trust policy. For details about how to use this policy, see [How to Create an AWS IAM Policy to Grant AWS Lambda Access to an Amazon DynamoDB Table](https://aws.amazon.com/blogs/security/how-to-create-an-aws-iam-policy-to-grant-aws-lambda-access-to-an-amazon-dynamodb-table/) in the AWS Security Blog.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ReadWriteTable",
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:*:*:table/SampleTable"
},
{
"Sid": "GetStreamRecords",
"Effect": "Allow",
"Action": "dynamodb:GetRecords",
"Resource": "arn:aws:dynamodb:*:*:table/SampleTable/stream/* "
},
{
"Sid": "WriteLogStreamsAndGroups",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Sid": "CreateLogGroup",
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "*"
}
]
}
```
------
# Amazon RDS: Allows full RDS database access within a specific Region
This example shows how you might create an identity-based policy that allows full RDS database access within a specific Region. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "rds:*",
"Resource": ["arn:aws:rds:us-east-1:*:*"]
},
{
"Effect": "Allow",
"Action": ["rds:Describe*"],
"Resource": ["*"]
}
]
}
```
------
# Amazon RDS: Allows restoring RDS databases, programmatically and in the console
This example shows how you might create an identity-based policy that allows restoring RDS databases. This policy defines permissions for programmatic and console access.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"rds:CreateDBParameterGroup",
"rds:CreateDBSnapshot",
"rds:DeleteDBSnapshot",
"rds:Describe*",
"rds:DownloadDBLogFilePortion",
"rds:List*",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:ModifyOptionGroup",
"rds:RebootDBInstance",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:RestoreDBInstanceToPointInTime"
],
"Resource": "*"
}
]
}
```
------
# Amazon RDS: Allows tag owners full access to RDS resources that they have tagged
This example shows how you might create an identity-based policy that allows tag owners full access to RDS resources that they have tagged. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"rds:Describe*",
"rds:List*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"rds:DeleteDBInstance",
"rds:RebootDBInstance",
"rds:ModifyDBInstance"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:db-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:ModifyOptionGroup",
"rds:DeleteOptionGroup"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:og-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:ModifyDBParameterGroup",
"rds:ResetDBParameterGroup"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:pg-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:AuthorizeDBSecurityGroupIngress",
"rds:RevokeDBSecurityGroupIngress",
"rds:DeleteDBSecurityGroup"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:secgrp-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:DeleteDBSnapshot",
"rds:RestoreDBInstanceFromDBSnapshot"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:snapshot-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:ModifyDBSubnetGroup",
"rds:DeleteDBSubnetGroup"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:subgrp-tag/Owner": "${aws:username}"}
}
},
{
"Action": [
"rds:ModifyEventSubscription",
"rds:AddSourceIdentifierToSubscription",
"rds:RemoveSourceIdentifierFromSubscription",
"rds:DeleteEventSubscription"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {"rds:es-tag/Owner": "${aws:username}"}
}
}
]
}
```
------
# Amazon S3: Allows Amazon Cognito users to access objects in their bucket
This example shows how you might create an identity-based policy that allows Amazon Cognito users to access objects in a specific Amazon S3 bucket. This policy allows access only to objects with a name that includes `cognito`, the name of the application, and the federated principal ID, represented by the \$1\$1cognito-identity.amazonaws.com:sub\$1 variable. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
**Note**
The 'sub' value used in the object key is not the user's sub value in the User Pool, it is the identity id associated with the user in the Identity Pool.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListYourObjects",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"cognito/application-name/${cognito-identity.amazonaws.com:sub}/*"
]
}
}
},
{
"Sid": "ReadWriteDeleteYourObjects",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}
```
------
Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, or Google.
The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.
For more information about Amazon Cognito, see [Amazon Cognito User Guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html).
# Amazon S3: Allows federated users access to their Amazon S3 home directory, programmatically and in the console
This example shows how you might create an identity-based policy that allows federated principals to access their own home directory bucket object in S3. The home directory is a bucket that includes a `home` folder and folders for individual federated principals. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
The `${aws:userid}` variable in this policy resolves to `role-id:specified-name`. The `role-id` part of the federated principal ID is a unique identifier assigned to the federated principal's role during creation. For more information, see [Unique identifiers](reference_identifiers.md#identifiers-unique-ids). The `specified-name` is the [RoleSessionName parameter](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html#API_AssumeRoleWithWebIdentity_RequestParameters) passed to the `AssumeRoleWithWebIdentity` request when the federated principal assumed their role.
You can view the role ID using the AWS CLI command `aws iam get-role --role-name specified-name`. For example, imagine that you specify the friendly name `John` and the CLI returns the role ID `AROAXXT2NJT7D3SIQN7Z6`. In this case, the federated principal's user ID is `AROAXXT2NJT7D3SIQN7Z6:John`. This policy then allows the federated principal John to access the Amazon S3 bucket with prefix `AROAXXT2NJT7D3SIQN7Z6:John`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3ConsoleAccess",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:userid}/*"
]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:userid}",
"arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:userid}/*"
]
}
]
}
```
------
# Amazon S3: S3 Bucket access, but production bucket denied without recent MFA
This example shows how you might create an identity-based policy that allows an Amazon S3 administrator to access any bucket, including updating, adding, and deleting objects. However, it explicitly denies access to the `amzn-s3-demo-bucket-production` bucket if the user has not signed in using [multi-factor authentication (MFA)](id_credentials_mfa.md) within the last thirty minutes. This policy grants the permissions necessary to perform this action in the console or programmatically using the AWS CLI or AWS API. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
This policy never allows programmatic access to the `amzn-s3-demo-bucket` bucket using long-term user access keys. This is accomplished using the `aws:MultiFactorAuthAge` condition key with the `NumericGreaterThanIfExists` condition operator. This policy condition returns `true` if MFA is not present or if the age of the MFA is greater than 30 minutes. In those situations, access is denied. To access the `amzn-s3-demo-bucket-production` bucket programmatically, the S3 administrator must use temporary credentials that were generated in the last 30 minutes using the [GetSessionToken](id_credentials_temp_request.md#api_getsessiontoken) API operation.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListAllS3Buckets",
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowBucketLevelActions",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "AllowBucketObjectActions",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::*/*"
},
{
"Sid": "RequireMFAForProductionBucket",
"Effect": "Deny",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket-production/*",
"arn:aws:s3:::amzn-s3-demo-bucket-production"
],
"Condition": {
"NumericGreaterThanIfExists": {"aws:MultiFactorAuthAge": "1800"}
}
}
]
}
```
------
# Amazon S3: Allows IAM users access to their S3 home directory, programmatically and in the console
This example shows how you might create an identity-based policy that allows IAM users to access their own home directory bucket object in S3. The home directory is a bucket that includes a `home` folder and folders for individual users. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
This policy will not work when using IAM roles because the `aws:username` variable is not available when using IAM roles. For details about principal key values, see [Principal key values](reference_policies_variables.md#principaltable).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3ConsoleAccess",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
"Condition": {
"StringLike": {
"s3:prefix": [
"",
"home/",
"home/${aws:username}/*"
]
}
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:username}",
"arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:username}/*"
]
}
]
}
```
------
# Amazon S3: Restrict management to a specific S3 bucket
This example shows how you might create an identity-based policy that restricts management of an Amazon S3 bucket to that specific bucket. This policy grants permission to perform all Amazon S3 actions, but deny access to every AWS service except Amazon S3. See the following example. According to this policy, you can only access Amazon S3 actions that you can perform on an S3 bucket or S3 object resource. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
If this policy is used in combination with other policies (such as the [AmazonS3FullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonS3FullAccess) or [AmazonEC2FullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonEC2FullAccess) AWS managed policies) that allow actions denied by this policy, then access is denied. This is because an explicit deny statement takes precedence over allow statements. For more information, see [How AWS enforcement code logic evaluates requests to allow or deny access](reference_policies_evaluation-logic_policy-eval-denyallow.md).
**Warning**
[`NotAction`](reference_policies_elements_notaction.md) and [`NotResource`](reference_policies_elements_notresource.md) are advanced policy elements that must be used with care. This policy denies access to every AWS service except Amazon S3. If you attach this policy to a user, any other policies that grant permissions to other services are ignored and access is denied.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
},
{
"Effect": "Deny",
"NotAction": "s3:*",
"NotResource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
]
}
```
------
# Grant read and write access to Amazon S3 bucket objects
This example shows how you might create an identity-based policy that allows `Read` and `Write` access to objects in a specific Amazon S3 bucket. This policy grants the permissions necessary to complete this action programmatically from the AWS API or AWS CLI. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
The `s3:*Object` action uses a wildcard as part of the action name. The `AllObjectActions` statement allows the `GetObject`, `DeleteObject`, `PutObject`, and any other Amazon S3 action that ends with the word "Object".
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::bucket-name"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::bucket-name/*"]
}
]
}
```
------
**Note**
To allow `Read` and `Write` access to an object in an Amazon S3 bucket and also include additional permissions for console access, see [Amazon S3: Allows read and write access to objects in an S3 Bucket, programmatically and in the console](reference_policies_examples_s3_rw-bucket-console.md).
# Amazon S3: Allows read and write access to objects in an S3 Bucket, programmatically and in the console
This example shows how you might create an identity-based policy that allows `Read` and `Write` access to objects in a specific S3 bucket. This policy defines permissions for programmatic and console access. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. Then, follow the directions in [create a policy](access_policies_create.md) or [edit a policy](access_policies_manage-edit.md).
The `s3:*Object` action uses a wildcard as part of the action name. The `AllObjectActions` statement allows the `GetObject`, `DeleteObject`, `PutObject`, and any other Amazon S3 action that ends with the word "Object".
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3ConsoleAccess",
"Effect": "Allow",
"Action": [
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketAcl",
"s3:GetBucketLocation",
"s3:GetBucketPolicyStatus",
"s3:GetBucketPublicAccessBlock",
"s3:ListAccessPoints",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": ["arn:aws:s3:::amzn-s3-demo-bucket"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::amzn-s3-demo-bucket/*"]
}
]
}
```
------
# Manage IAM policies
IAM gives you the tools to create and manage all types of IAM policies (managed policies and inline policies). To add permissions to an IAM identity (IAM user, group, or role), you create a policy, validate the policy, and then attach the policy to the identity. You can attach multiple policies to an identity, and each policy can contain multiple permissions.
**Topics**
+ [Additional resources](#access_policies_manage-additional-resources)
+ [Define custom IAM permissions with customer managed policies](access_policies_create.md)
+ [IAM policy validation](access_policies_policy-validator.md)
+ [IAM policy testing with the IAM policy simulator](access_policies_testing-policies.md)
+ [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md)
+ [Versioning IAM policies](access_policies_managed-versioning.md)
+ [Edit IAM policies](access_policies_manage-edit.md)
+ [Delete IAM policies](access_policies_manage-delete.md)
+ [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md)
## Additional resources
The following resources can help you learn more about AWS policies.
+ For more information about the different types of IAM policies, see [Policies and permissions in AWS Identity and Access Management](access_policies.md).
+ For general information about using policies within IAM, see [Access management for AWS resources](access.md).
+ For information about how to use IAM Access Analyzer to generate an IAM policy that is based on access activity for an entity, see [IAM Access Analyzer policy generation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html).
+ For information about how permissions are evaluated when multiple policies are in effect for a given IAM identity, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
+ The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
# Define custom IAM permissions with customer managed policies
[Policies](access_policies.md) define permissions for identities or resources in AWS. You can create *customer managed policies* in IAM using the AWS Management Console, AWS CLI, or AWS API. Customer managed policies are standalone policies that you manage in your own AWS account. You can then attach the policies to identities (users, groups, and roles) in your AWS account.
An *identity-based policy* is a policy attached to an identity in IAM. Identity-based policies can include AWS managed policies, customer managed policies, and inline policies. AWS managed policies are created and managed by AWS, and you can use them but not manage them. An inline policy is one that you create and embed directly to an IAM user group, user, or role. Inline policies can't be reused on other identities or managed outside of the identity where they exist. For more information, see [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md).
It's generally better to use customer managed policies instead of inline policies or AWS managed policies. AWS managed policies usually provide broad administrative or read-only permissions. For the greatest security, [grant the least privilege](best-practices.md#grant-least-privilege), which means granting only the permissions required to perform specific job tasks.
When you create or edit IAM policies, AWS can automatically perform policy validation to help you create an effective policy with least privilege in mind. In the AWS Management Console, IAM identifies JSON syntax errors, while IAM Access Analyzer provides additional policy checks with recommendations to help you further refine your policies. To learn more about policy validation, see [IAM policy validation](access_policies_policy-validator.md). To learn more about IAM Access Analyzer policy checks and actionable recommendations, see [IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html).
You can use the AWS Management Console, AWS CLI, or AWS API to create customer managed policies in IAM. For more information about using CloudFormation templates to add or update policies, see [AWS Identity and Access Management resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_IAM.html) in the *CloudFormation User Guide*.
**Topics**
+ [Create IAM policies (console)](access_policies_create-console.md)
+ [Create IAM policies (AWS CLI)](access_policies_create-cli.md)
+ [Create IAM policies (AWS API)](access_policies_create-api.md)
# Create IAM policies (console)
A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS Management Console to create *customer managed policies* in IAM. Customer managed policies are standalone policies that you administer in your own AWS account. You can then attach the policies to identities (users, groups, and roles) in your AWS account.
The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
**Topics**
+ [Creating IAM policies](#access_policies_create-start)
+ [Creating policies using the JSON editor](#access_policies_create-json-editor)
+ [Creating policies with the visual editor](#access_policies_create-visual-editor)
+ [Importing existing managed policies](#access_policies_create-copy)
## Creating IAM policies
You can create a customer managed policy in the AWS Management Console using one of the following methods:
+ **[JSON](#access_policies_create-json-editor)** — Paste and customize a published [example identity-based policy](access_policies_examples.md).
+ **[Visual editor](#access_policies_create-visual-editor)** — Construct a new policy from scratch in the visual editor. If you use the visual editor, you do not have to understand JSON syntax.
+ **[Import](#access_policies_create-copy)** — Import and customize a managed policy from within your account. You can import an AWS managed policy or a customer managed policy that you previously created.
The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
## Creating policies using the JSON editor
You can type or paste policies in JSON by choosing the **JSON** option. This method is useful for copying an [example policy](access_policies_examples.md) to use in your account. Or, you can type your own JSON policy document in the JSON editor. You can also use the **JSON** option to toggle between the visual editor and JSON to compare the views.
When you create or edit a policy in the JSON editor, IAM performs policy validation to help you create an effective policy. IAM identifies JSON syntax errors, while IAM Access Analyzer provides additional policy checks with actionable recommendations to help you further refine the policy.
A JSON [policy](access_policies.md) document consists of one or more statements. Each statement should contain all the actions that share the same effect (`Allow` or `Deny`) and support the same resources and conditions. If one action requires you to specify all resources (`"*"`) and another action supports the Amazon Resource Name (ARN) of a specific resource, they must be in two separate JSON statements. For details about ARN formats, see [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference Guide*. For general information about IAM policies, see [Policies and permissions in AWS Identity and Access Management](access_policies.md). For information about the IAM policy language, see [IAM JSON policy reference](reference_policies.md).
**To use the JSON policy editor to create a policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option.
1. Type or paste a JSON policy document. For details about the IAM policy language, see [IAM JSON policy reference](reference_policies.md).
1. Resolve any security warnings, errors, or general warnings generated during [policy validation](access_policies_policy-validator.md), and then choose **Next**.
**Note**
You can switch between the **Visual** and **JSON** editor options anytime. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).
1. (Optional) When you create or edit a policy in the AWS Management Console, you can generate a JSON or YAML policy template that you can use in CloudFormation templates.
To do this, in the **Policy editor** choose **Actions**, and then choose **Generate CloudFormation template**. To learn more about CloudFormation see [AWS Identity and Access Management resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_IAM.html) in the AWS CloudFormation User Guide.
1. When you are finished adding permissions to the policy, choose **Next**.
1. On the **Review and create** page, type a **Policy Name** and a **Description** (optional) for the policy that you are creating. Review **Permissions defined in this policy** to see the permissions that are granted by your policy.
1. (Optional) Add metadata to the policy by attaching tags as key-value pairs. For more information about using tags in IAM, see [Tags for AWS Identity and Access Management resources](id_tags.md).
1. Choose **Create policy** to save your new policy.
After you create a policy, you can attach it to your groups, users, or roles. For more information, see [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md).
## Creating policies with the visual editor
The visual editor in the IAM console guides you through creating a policy without having to write JSON syntax. To view an example of using the visual editor to create a policy, see [Controlling access to identities](access_controlling.md#access_controlling-identities).
**To use the visual editor to create a policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor** section, find the **Select a service** section, and then choose an AWS service. You can use the search box at the top to limit the results in the list of services. You can choose only one service within a visual editor permission block. To grant access to more than one service, add multiple permission blocks by choosing **Add more permissions**.
1. In **Actions allowed**, choose the actions to add to the policy. You can choose actions in the following ways:
+ Select the checkbox for all actions.
+ Choose **add actions** to type the name of a specific action. You can use wildcards (`*`) to specify multiple actions.
+ Select one of the **Access level** groups to choose all actions for the access level (for example, **Read**, **Write**, or **List**).
+ Expand each of the **Access level** groups to choose individual actions.
By default, the policy that you are creating allows the actions that you choose. To deny the chosen actions instead, choose **Switch to deny permissions**. Because [IAM denies by default](reference_policies_evaluation-logic.md), we recommend as a security best practice that you allow permissions to only those actions and resources that a user needs. You should create a JSON statement to deny permissions only if you want to override a permission separately allowed by another statement or policy. We recommend that you limit the number of deny permissions to a minimum because they can increase the difficulty of troubleshooting permissions.
1. For **Resources**, if the service and actions that you selected in the previous steps do not support choosing [specific resources](access_controlling.md#access_controlling-resources), all resources are allowed and you cannot edit this section.
If you chose one or more actions that support [resource-level permissions](access_controlling.md#access_controlling-resources), then the visual editor lists those resources. You can then expand **Resources** to specify resources for your policy.
You can specify resources in the following ways:
+ Choose **Add ARNs** to specify resources by their Amazon Resource Names (ARN). You can use the visual ARN editor or list ARNs manually. For more information about ARN syntax, see [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in the *AWS General Reference Guide*. For information about using ARNs in the `Resource` element of a policy, see [IAM JSON policy elements: Resource](reference_policies_elements_resource.md).
+ Choose **Any in this account** next to a resource to grant permissions to any resources of that type.
+ Choose **All** to choose all resources for the service.
1. (Optional) Choose **Request conditions - *optional*** to add conditions to the policy that you are creating. Conditions limit a JSON policy statement's effect. For example, you can specify that a user is allowed to perform the actions on the resources only when that user's request happens within a certain time range. You can also use commonly used conditions to limit whether a user must be authenticated using a multi-factor authentication (MFA) device. Or you can require that the request originate from within a certain range of IP addresses. For lists of all of the context keys that you can use in a policy condition, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the *Service Authorization Reference*.
You can choose conditions in the following ways:
+ Use checkboxes to select commonly used conditions.
+ Choose **Add another condition** to specify other conditions. Choose the condition's **Condition Key**, **Qualifier**, and **Operator**, and then type a **Value**. To add more than one value, choose **Add**. You can consider the values as being connected by a logical "OR" operator. When you are finished, choose **Add condition**.
To add more than one condition, choose **Add another condition** again. Repeat as needed. Each condition applies only to this one visual editor permission block. All the conditions must be true for the permission block to be considered a match. In other words, consider the conditions to be connected by a logical "AND" operator.
For more information about the **Condition** element, see [IAM JSON policy elements: Condition](reference_policies_elements_condition.md) in the [IAM JSON policy reference](reference_policies.md).
1. To add more permission blocks, choose **Add more permissions**. For each block, repeat steps 2 through 5.
**Note**
You can switch between the **Visual** and **JSON** editor options anytime. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).
1. (Optional) When you create or edit a policy in the AWS Management Console, you can generate a JSON or YAML policy template that you can use in CloudFormation templates.
To do this, in the **Policy editor** choose **Actions**, and then choose **Generate CloudFormation template**. To learn more about CloudFormation see [AWS Identity and Access Management resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_IAM.html) in the AWS CloudFormation User Guide.
1. When you are finished adding permissions to the policy, choose **Next**.
1. On the **Review and create** page, type a **Policy Name** and a **Description** (optional) for the policy that you are creating. Review the **Permissions defined in this policy** to make sure that you have granted the intended permissions.
1. (Optional) Add metadata to the policy by attaching tags as key-value pairs. For more information about using tags in IAM, see [Tags for AWS Identity and Access Management resources](id_tags.md).
1. Choose **Create policy** to save your new policy.
After you create a policy, you can attach it to your groups, users, or roles. For more information, see [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md).
## Importing existing managed policies
An easy way to create a new policy is to import an existing managed policy within your account that has at least some of the permissions that you need. You can then customize the policy to match it to your new requirements.
You cannot import an inline policy. To learn about the difference between managed and inline policies, see [Managed policies and inline policies](access_policies_managed-vs-inline.md).
**To import an existing managed policy in the visual editor**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor** , choose **Visual** and then on the right side of the page, choose **Actions** then choose **Import policy**.
1. In the **Import policy** window, choose the managed policies that most closely match the policy that you want to include in your new policy. You can use the search box at the top to limit the results in the list of policies.
1. Choose **Import policy**.
The imported policies are added in new permission blocks at the bottom of your policy.
1. Use the **Visual** editor or choose **JSON** to customize your policy. Then choose **Next**.
**Note**
You can switch between the **Visual** and **JSON** editor options anytime. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).
1. On the **Review and create** page, type a **Policy Name** and a **Description** (optional) for the policy that you are creating. You cannot edit these settings later. Review the **Permissions defined in this policy** and then choose **Create policy** to save your work.
**To import an existing managed policy in the **JSON** editor**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**.
1. Choose **Create policy**.
1. In the **Policy editor** section, choose the **JSON** option, and then on the right side of the page, choose **Actions** then choose **Import policy**.
1. In the **Import policy** window, choose the managed policies that most closely match the policy that you want to include in your new policy. You can use the search box at the top to limit the results in the list of policies.
1. Choose **Import policy**.
Statements from the imported policies are added to the bottom of your JSON policy.
1. Customize your policy in JSON. Resolve any security warnings, errors, or general warnings generated during [policy validation](access_policies_policy-validator.md), and then choose **Next**. Or, customize your policy in the **Visual** editor. Then choose **Next**.
**Note**
You can switch between the **Visual** and **JSON** editor options anytime. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).
1. On the **Review and create** page, type a **Policy Name** and a **Description** (optional) for the policy that you are creating. You cannot edit these later. Review the policy **Permissions defined in this policy** and then choose **Create policy** to save your work.
After you create a policy, you can attach it to your groups, users, or roles. For more information, see [Adding and removing IAM identity permissions](access_policies_manage-attach-detach.md).
# Create IAM policies (AWS CLI)
A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS CLI to create *customer managed policies* in IAM. Customer managed policies are standalone policies that you administer in your own AWS account. As a [best practice](best-practices.md), we recommend that you use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions. By [validating your policies](access_policies_policy-validator.md) you can address any errors or recommendations before you attach the policies to identities (users, groups, and roles) in your AWS account.
The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
## Creating IAM policies (AWS CLI)
You can create an IAM customer managed policy or an inline policy using the AWS Command Line Interface (AWS CLI).
**To create a customer managed policy (AWS CLI)**
Use the following command:
+ [create-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy.html)
**To create an inline policy for an IAM identity (group, user or role) (AWS CLI)**
Use one of the following commands:
+ [put-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-group-policy.html)
+ [put-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-policy.html)
+ [put-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-user-policy.html)
**Note**
You can't use IAM to embed an inline policy for a *[service-linked role](id_roles.md#iam-term-service-linked-role)*.
**To validate a customer managed policy (AWS CLI)**
Use the following IAM Access Analyzer command:
+ [validate-policy](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/validate-policy.html)
# Create IAM policies (AWS API)
A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS API to create *customer managed policies* in IAM. Customer managed policies are standalone policies that you administer in your own AWS account. As a [best practice](best-practices.md), we recommend that you use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions. By [validating your policies](access_policies_policy-validator.md) you can address any errors or recommendations before you attach the policies to identities (users, groups, and roles) in your AWS account.
The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
## Creating IAM policies (AWS API)
You can create an IAM customer managed policy or an inline policy using the AWS API.
**To create a customer managed policy (AWS API)**
Call the following operation:
+ [CreatePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html)
**To create an inline policy for an IAM identity (group, user, or role) (AWS API)**
Call one of the following operations:
+ [PutGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html)
+ [PutRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html)
+ [PutUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html)
**Note**
You can't use IAM to embed an inline policy for a *[service-linked role](id_roles.md#iam-term-service-linked-role)*.
**To validate a customer managed policy (AWS API)**
Call the following IAM Access Analyzer operation:
+ [ValidatePolicy](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html)
# IAM policy validation
A [policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies_overview.html) is a JSON document that uses the [IAM policy grammar](https://docs.aws.amazon.com/IAM/latest/UserGuide/policies-grammar.html). When you attach a policy to an IAM entity, such as a user, group, or role, it grants permissions to that entity.
When you create or edit IAM access control policies using the AWS Management Console, AWS automatically examines them to ensure that they comply with the IAM policy grammar. If AWS determines that a policy is not in compliance with the grammar, it prompts you to fix the policy.
IAM Access Analyzer provides additional policy checks with recommendations to help you further refine the policy. To learn more about IAM Access Analyzer policy checks and actionable recommendations, see [ IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html). To view a list of warnings, errors, and suggestions that are returned by IAM Access Analyzer, see [ IAM Access Analyzer policy check reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html).
**Validation scope**
AWS checks JSON policy syntax and grammar. It also verifies that your ARNs are formatted properly and action names and condition keys are correct.
**Accessing policy validation**
Policies are validated automatically when you create a JSON policy or edit an existing policy in the AWS Management Console. If the policy syntax is not valid, you receive a notification and must fix the problem before you can continue. The findings from the IAM Access Analyzer policy validation are automatically returned in the AWS Management Console if you have permissions for `access-analyzer:ValidatePolicy`. You can also validate policies using the AWS API or AWS CLI.
**Existing policies**
You might have existing policies that are not valid because they were created or last saved before the latest updates to the policy engine. As a [best practice](best-practices.md), we recommend that you use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions. We recommend that you open your existing policies and review the policy validation results that are generated. You cannot edit and save existing policies without fixing any policy syntax errors.
# IAM policy testing with the IAM policy simulator
For more information about how and why to use IAM policies, see [Policies and permissions in AWS Identity and Access Management](access_policies.md).
**You can access the IAM Policy Simulator Console at: [https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/)**
**Important**
The policy simulator results can differ from your live AWS environment. We recommend that you check your policies against your live AWS environment after testing using the policy simulator to confirm that you have the desired results. For more information, see [How the IAM policy simulator works](#policies_policy-simulator-how-it-works).
With the IAM policy simulator, you can test and troubleshoot identity-based policies and IAM permissions boundaries. Here are some common things you can do with the policy simulator:
+ Test identity-based policies that are attached to IAM users, IAM groups, or roles in your AWS account. If more than one policy is attached to the user, user group, or role, you can test all the policies, or select individual policies to test. You can test which actions are allowed or denied by the selected policies for specific resources.
+ Test and troubleshoot the effect of [permissions boundaries](access_policies_boundaries.md) on IAM entities. You can only simulate one permissions boundary at a time.
+ Test the effects of resource-based policies on IAM users that are attached to AWS resources, such as Amazon S3 buckets, Amazon SQS queues, Amazon SNS topics, or Amazon Glacier vaults. To use a resource-based policy in the policy simulator for IAM users, you must include the resource in the simulation. You must also select the checkbox to include that resource's policy in the simulation.
**Note**
Simulation of resource-based policies isn't supported for IAM roles.
+ If your AWS account is a member of an organization in [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/), then you can test the impact of service control policies (SCPs) on your identity-based policies.
**Note**
The policy simulator doesn't evaluate SCPs that have any conditions.
+ Test new identity-based policies that are not yet attached to a user, user group, or role by typing or copying them into the policy simulator. These are used only in the simulation and are not saved. You can't type or copy a resource-based policy in the policy simulator.
+ Test identity-based policies with selected services, actions, and resources. For example, you can test to ensure that your policy allows an entity to perform the `ListAllMyBuckets`, `CreateBucket`, and `DeleteBucket` actions in the Amazon S3 service on a specific bucket.
+ Simulate real-world scenarios by providing context keys, such as an IP address or date, that are included in `Condition` elements in the policies being tested.
**Note**
The policy simulator doesn't simulate tags provided as input if the identity-based policy in the simulation doesn't have a `Condition` element that explicitly checks for tags.
+ Identify which specific statement in identity-based policy results in allowing or denying access to a particular resource or action.
**Topics**
+ [How the IAM policy simulator works](#policies_policy-simulator-how-it-works)
+ [Permissions required for using the IAM policy simulator](#permissions-required_policy-simulator)
+ [Using the IAM policy simulator (console)](#policies_policy-simulator-using)
+ [Using the IAM policy simulator (AWS CLI and AWS API)](#policies-simulator-using-api)
## How the IAM policy simulator works
The policy simulator evaluates statements in the identity-based policy and the inputs that you provide during simulation. The policy simulator results can differ from your live AWS environment. We recommend that you check your policies against your live AWS environment after testing using the policy simulator to confirm that you have the desired results.
The policy simulator differs from the live AWS environment in the following ways:
+ The policy simulator does not make an actual AWS service request, so you can safely test requests that might make unwanted changes to your live AWS environment. The policy simulator doesn't consider real context key values in production.
+ Because the policy simulator does not simulate running the selected actions, it cannot report any response to the simulated request. The only result returned is whether the requested action would be allowed or denied.
+ If you edit a policy in the policy simulator, these changes affect only the policy simulator. The corresponding policy in your AWS account remains unchanged.
+ You can't test service control policies (SCPs) with any conditions.
+ The policy simulator doesn't support simulation for resource control policies (RCPs).
+ The policy simulator doesn't support simulation for IAM roles and users for cross-account access.
**Note**
The IAM policy simulator doesn't determine which services support [global condition keys](reference_policies_condition-keys.md) for authorization. For example, the policy simulator doesn't identify that a service doesn't support [`aws:TagKeys`](reference_policies_condition-keys.md#condition-keys-tagkeys).
## Permissions required for using the IAM policy simulator
You can use the policy simulator console or the policy simulator API to test policies. By default, console users can test policies that are not yet attached to a user, user group, or role by typing or copying those policies into the policy simulator. These policies are used only in the simulation and do not disclose sensitive information. API users must have permissions to test unattached policies. You can allow console or API users to test policies that are attached to IAM users, IAM groups, or roles in your AWS account. To do so, you must provide permission to retrieve those policies. In order to test resource-based policies, users must have permission to retrieve the resource's policy.
For examples of console and API policies that allow a user to simulate policies, see [Example policies: AWS Identity and Access Management (IAM)](access_policies_examples.md#policy_library_IAM).
### Permissions required for using the policy simulator console
You can allow users to test policies that are attached to IAM users, IAM groups, or roles in your AWS account. To do so, you must provide your users with permissions to retrieve those policies. In order to test resource-based policies, users must have permission to retrieve the resource's policy.
To view an example policy that allows using the policy simulator console for policies that are attached to a user, user group, or role, see [IAM: Access the policy simulator console](reference_policies_examples_iam_policy-sim-console.md).
To view an example policy that allows using the policy simulator console only for those users with a specific path, see [IAM: Access the policy simulator console based on user path](reference_policies_examples_iam_policy-sim-path-console.md).
To create a policy to allow using the policy simulator console for only one type of entity, use the following procedures.
**To allow console users to simulate policies for users**
Include the following actions in your policy:
+ `iam:GetGroupPolicy`
+ `iam:GetPolicy`
+ `iam:GetPolicyVersion`
+ `iam:GetUser`
+ `iam:GetUserPolicy`
+ `iam:ListAttachedUserPolicies`
+ `iam:ListGroupsForUser`
+ `iam:ListGroupPolicies`
+ `iam:ListUserPolicies`
+ `iam:ListUsers`
**To allow console users to simulate policies for IAM groups**
Include the following actions in your policy:
+ `iam:GetGroup`
+ `iam:GetGroupPolicy`
+ `iam:GetPolicy`
+ `iam:GetPolicyVersion`
+ `iam:ListAttachedGroupPolicies`
+ `iam:ListGroupPolicies`
+ `iam:ListGroups`
**To allow console users to simulate policies for roles**
Include the following actions in your policy:
+ `iam:GetPolicy`
+ `iam:GetPolicyVersion`
+ `iam:GetRole`
+ `iam:GetRolePolicy`
+ `iam:ListAttachedRolePolicies`
+ `iam:ListRolePolicies`
+ `iam:ListRoles`
To test resource-based policies, users must have permission to retrieve the resource's policy.
**To allow console users to test resource-based policies in an Amazon S3 bucket**
Include the following action in your policy:
+ `s3:GetBucketPolicy`
For example, the following policy uses this action to allow console users to simulate a resource-based policy in a specific Amazon S3 bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetBucketPolicy",
"Resource":"arn:aws:s3:::bucket-name/*"
}
]
}
```
------
### Permissions required for using the policy simulator API
The policy simulator API operations [GetContextKeysForCustomPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForCustomPolicy.html) and [SimulateCustomPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulateCustomPolicy.html) allow you to test policies that are not yet attached to a user, user group, or role. To test such policies, you pass the policies as strings to the API. These policies are used only in the simulation and do not disclose sensitive information. You can also use the API to test policies that are attached to IAM users, IAM groups, or roles in your AWS account. To do that, you must provide users with permissions to call [GetContextKeysForPrincipalPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForPrincipalPolicy.html) and [SimulatePrincipalPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html).
To view an example policy that allows using the policy simulator API for attached and unattached policies in the current AWS account, see [IAM: Access the policy simulator API](reference_policies_examples_iam_policy-sim.md).
To create a policy to allow using the policy simulator API for only one type of policy, use the following procedures.
**To allow API users to simulate policies passed directly to the API as strings**
Include the following actions in your policy:
+ `iam:GetContextKeysForCustomPolicy`
+ `iam:SimulateCustomPolicy`
**To allow API users to simulate policies attached to IAM users, IAM groups, roles, or resources**
Include the following actions in your policy:
+ `iam:GetContextKeysForPrincipalPolicy`
+ `iam:SimulatePrincipalPolicy`
For example, to give a user named Bob permission to simulate a policy that is assigned to a user named Alice, give Bob access to the following resource: `arn:aws:iam::777788889999:user/alice`.
To view an example policy that allows using the policy simulator API only for those users with a specific path, see [IAM: Access the policy simulator API based on user path](reference_policies_examples_iam_policy-sim-path.md).
## Using the IAM policy simulator (console)
By default, users can test policies that are not yet attached to a user, user group, or role by typing or copying those policies into the policy simulator console. These policies are used only in the simulation and do not disclose sensitive information.
**To test a policy that is not attached to a user, user group, or role (console)**
1. Open the IAM policy simulator console at: [https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/).
1. In the **Mode:** menu at the top of the page, choose **New Policy**.
1. In the **Policy Sandbox**, choose **Create New Policy**.
1. Type or copy a policy into the policy simulator, and use the policy simulator as described in the following steps.
After you have permission to use the IAM Policy Simulator Console, you can use the policy simulator to test an IAM user, user group, role, or resource policy.
**To test a policy that is attached to a user, user group, or role (console)**
1. Open the IAM policy simulator console at [ https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/).
**Note**
To sign in to the policy simulator as an IAM user, use your unique sign-in URL to sign in to the AWS Management Console. Then go to [https://policysim.aws.amazon.com/](https://policysim.aws.amazon.com/). For more information about signing in as an IAM user, see [How IAM users sign in to AWS](id_users_sign-in.md).
The policy simulator opens in **Existing Policies** mode and lists the IAM users in your account under **Users, Groups, and Roles**.
1. Choose the option that is appropriate to your task:
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html)
**Tip**
To test a policy that is attached to user group, you can launch the IAM policy simulator directly from the [IAM console](https://console.aws.amazon.com/iam/): In the navigation pane, choose **User groups**. Choose the name of the group that you want to test a policy on, and then choose the **Permissions** tab. Choose **Simulate**.
To test a customer managed policy that is attached to a user: In the navigation pane, choose **Users**. Choose the name of the user that you want to test a policy on. Then choose the **Permissions** tab and expand the policy that you want to test. On the far right, choose **Simulate policy**. The **IAM Policy Simulator** opens in a new window and displays the selected policy in the **Policies** pane.
1. (Optional) If your account is a member of an organization in [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/), then select the checkbox next to **AWS Organizations SCPs** to include SCPs in your simulated evaluation. SCPs are JSON policies that specify the maximum permissions for an organization or organizational unit (OU). The SCP limits permissions for entities in member accounts. If an SCP blocks a service or action, then no entity in that account can access that service nor perform that action. This is true even if an administrator explicitly grants permissions to that service or action through an IAM or resource policy.
If your account is not a member of an organization, then the checkbox does not appear.
1. (Optional) You can test a policy that is set as a [permissions boundary](access_policies_boundaries.md) for an IAM entity (user or role), but not for IAM groups. If a permissions boundary policy is currently set for the entity, it appears in the **Policies** pane. You can set only one permissions boundary for an entity. To test a different permissions boundary, you can create a custom permissions boundary. To do this, choose **Create New Policy**. A new **Policies** pane opens. In the menu, choose **Custom IAM Permissions Boundary Policy**. Enter a name for the new policy and type or copy a policy into the space below. Choose **Apply** to save the policy. Next, choose **Back** to return to the original **Policies** pane. Then select the checkbox next to the permissions boundary you want to use for the simulation.
1. (Optional) You can test only a subset of policies attached to a user, user group, or role. To do so, in the **Policies** pane clear the checkbox next to each policy that you want to exclude.
1. Under **Policy Simulator**, choose **Select service** and then choose the service to test. Then choose **Select actions** and select one or more actions to test. Although the menus show the available selections for only one service at a time, all the services and actions that you have selected appear in **Action Settings and Results**.
1. (Optional) If any of the policies that you choose in [Step 2](#polsimstep-selectid) and [Step 5](#polsimstep-polsubset) include conditions with [AWS*global condition keys*](reference_policies_condition-keys.md), then supply values for those keys. You can do this by expanding the **Global Settings** section and typing values for the key names displayed there.
**Warning**
If you leave the value for a condition key empty, then that key is ignored during the simulation. In some cases, this results in an error, and the simulation fails to run. In other cases, the simulation runs, but the results might not be reliable. In those cases, the simulation does not match the real-world conditions that include a value for the condition key or variable.
1. (Optional) Each selected action appears in the **Action Settings and Results** list with **Not simulated** shown in the **Permission** column until you actually run the simulation. Before you run the simulation, you can configure each action with a resource. To configure individual actions for a specific scenario, choose the arrow to expand the action's row. If the action supports resource-level permissions, you can type the [Amazon Resource Name (ARN)](reference_identifiers.md#identifiers-arns) of the specific resource whose access you want to test. By default, each resource is set to a wildcard (\$1). You can also specify a value for any [condition context keys](reference_policies_actions-resources-contextkeys.html). As noted previously, keys with empty values are ignored, which can cause simulation failures or unreliable results.
1. Choose the arrow next to the action name to expand each row and configure any additional information required to accurately simulate the action in your scenario. If the action requires any resource-level permissions, you can type the [Amazon Resource Name (ARN)](reference_identifiers.md#identifiers-arns) of the specific resource that you want to simulate access to. By default, each resource is set to a wildcard (\$1).
1. If the action supports resource-level permissions but does not require them, then you can choose **Add Resource** to select the resource type that you want to add to the simulation.
1. If any of the selected policies include a `Condition` element that references a context key for this action's service, then that key name is displayed under the action. You can specify the value to be used during the simulation of that action for the specified resource.
**Actions that require different groups of resource types**
Some actions require different resource types under different circumstances. Each group of resource types is associated with a scenario. If one of these applies to your simulation, select it and the policy simulator requires the resource types appropriate for that scenario. The following list shows each of the supported scenario options and the resources that you must define to run the simulation.
Each of the following Amazon EC2 scenarios requires that you specify `instance`, `image`, and `security-group` resources. If your scenario includes an EBS volume, then you must specify that `volume` as a resource. If the Amazon EC2 scenario includes a virtual private cloud (VPC), then you must supply the `network-interface` resource. If it includes an IP subnet, then you must specify the `subnet` resource. For more information on the Amazon EC2 scenario options, see [Supported Platforms](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html) in the *Amazon EC2 User Guide*.
+ **EC2-VPC-InstanceStore**
instance, image, security-group, network-interface
+ **EC2-VPC-InstanceStore-Subnet**
instance, image, security-group, network-interface, subnet
+ **EC2-VPC-EBS**
instance, image, security-group, network-interface, volume
+ **EC2-VPC-EBS-Subnet**
instance, image, security-group, network-interface, subnet, volume
1. (Optional) If you want to include a resource-based policy in your simulation, then you must first select the actions that you want to simulate on that resource in [Step 6](#polsimstep-service). Expand the rows for the selected actions, and type the ARN of the resource with a policy that you want to simulate. Then select **Include Resource Policy** next to the **ARN** text box. The IAM policy simulator currently supports resource-based policies from only the following services: Amazon S3 (resource-based policies only; ACLs are not currently supported), Amazon SQS, Amazon SNS, and unlocked Amazon Glacier vaults (locked vaults are not currently supported).
1. Choose **Run Simulation** in the upper-right corner.
The **Permission** column in each row of **Action Settings and Results** displays the result of the simulation of that action on the specified resource.
1. To see which statement in a policy explicitly allowed or denied an action, choose the ***N* matching statement(s)** link in the **Permissions** column to expand the row. Then choose the **Show statement** link. The **Policies** pane shows the relevant policy with the statement that affected the simulation result highlighted.
**Note**
If an action is *implicitly* denied—that is, if the action is denied only because it is not explicitly allowed—the **List** and **Show statement** options are not displayed.
### Troubleshooting IAM policy simulator console messages
The following table lists the informational and warning messages you might encounter when using the IAM policy simulator. The table also provides steps you can take to resolve them.
****
| Message | Steps to resolve |
| --- | --- |
| This policy has been edited. Changes will not be saved to your account. | **No action required.** This message is informational. If you edit an existing policy in the IAM policy simulator, your change does not affect your AWS account. The policy simulator allows you to make changes to policies for testing purposes only. |
| Cannot get the resource policy. Reason: detailed error message | The policy simulator is not able to access a requested resource-based policy. Ensure that the specified resource ARN is correct and that the user running the simulation has permission to read the resource's policy. |
| One or more policies require values in the simulation settings. The simulation might fail without these values. | This message appears if the policy you are testing contains condition keys or variables but you have not provided any values for these keys or variables in **Simulation Settings**. To dismiss this message, choose **Simulation Settings**, Then enter a value for each condition key or variable. |
| You have changed policies. These results are no longer valid. | This message appears if you have changed the selected policy while results are displayed in the **Results** pane. Results shown in the **Results** pane are not updated dynamically. To dismiss this message, choose **Run Simulation** again to display new simulation results based on the changes made in the **Policies** pane. |
| The resource you typed for this simulation does not match this service. | This message appears if you have typed an Amazon Resource Name (ARN) in the **Simulation Settings** pane that does not match the service that you chose for the current simulation. For example, this message appears if you specify an ARN for an Amazon DynamoDB resource but you chose Amazon Redshift as the service to simulate. To dismiss this message, do one of the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html) |
| This action belongs to a service that supports special access control mechanisms in addition to resource-based policies, such as Amazon S3 ACLs or Amazon Glacier vault lock policies. The policy simulator does not support these mechanisms, so the results can differ from your production environment. | **No action required.** This message is informational. In the current version, the policy simulator evaluates policies attached to users and IAM groups, and can evaluate resource-based policies for Amazon S3, Amazon SQS, Amazon SNS, and Amazon Glacier. The policy simulator does not support all access control mechanisms supported by other AWS services. |
| DynamoDB FGAC is currently not supported. | **No action required.** This informational message refers to *fine-grained access control*. Fine-grained access control is the ability to use IAM policy conditions to determine who can access individual data items and attributes in DynamoDB tables and indexes. It also refers to the actions that can be performed on these tables and indexes. The current version of the IAM policy simulator does not support this type of policy condition. For more information on DynamoDB fine-grained access control, see [Fine-Grained Access Control for DynamoDB](http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/FGAC_DDB.html). |
| You have policies that do not comply with the policy syntax. You can use policy validation to review recommended updates to your policies. | This message appears at the top of the policy list if you have policies that do not comply with the IAM policy grammar. In order to simulate these policies, review the policy validation options at [IAM policy validation](access_policies_policy-validator.md) to identify and fix these policies. |
| This policy must be updated to comply with the latest policy syntax rules. | This message is displayed if you have policies that do not comply with the IAM policy grammar. In order to simulate these policies, review the policy validation options at [IAM policy validation](access_policies_policy-validator.md) to identify and fix these policies. |
## Using the IAM policy simulator (AWS CLI and AWS API)
Policy simulator commands typically require calling API operations to do two things:
1. Evaluate the policies and return the list of context keys that they reference. You need to know what context keys are referenced so that you can supply values for them in the next step.
1. Simulate the policies, providing a list of actions, resources, and context keys that are used during the simulation.
For security reasons, the API operations have been broken into two groups:
+ API operations that simulate only policies that are passed directly to the API as strings. This set includes [GetContextKeysForCustomPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForCustomPolicy.html) and [SimulateCustomPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulateCustomPolicy.html).
+ API operations that simulate the policies that are attached to a specified IAM user, user group, role, or resource. Because these API operations can reveal details of permissions assigned to other IAM entities, you should consider restricting access to these API operations. This set includes [GetContextKeysForPrincipalPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForPrincipalPolicy.html) and [SimulatePrincipalPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html). For more information about restricting access to API operations, see [Example policies: AWS Identity and Access Management (IAM)](access_policies_examples.md#policy_library_IAM).
In both cases, the API operations simulate the effect of one or more policies on a list of actions and resources. Each action is paired with each resource and the simulation determines whether the policies allow or deny that action for that resource. You can also provide values for any context keys that your policies reference. You can get the list of context keys that the policies reference by first calling [https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForCustomPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForCustomPolicy.html) or [https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForPrincipalPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForPrincipalPolicy.html). If you don't provide a value for a context key, the simulation still runs. But the results might not be reliable because the policy simulator cannot include that context key in the evaluation.
**To get the list of context keys (AWS CLI, AWS API)**
Use the following to evaluate a list of policies and return a list of context keys that are used in the policies.
+ AWS CLI: [https://docs.aws.amazon.com/cli/latest/reference/iam/get-context-keys-for-custom-policy.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-context-keys-for-custom-policy.html) and [https://docs.aws.amazon.com/cli/latest/reference/iam/get-context-keys-for-principal-policy.html](https://docs.aws.amazon.com/cli/latest/reference/iam/get-context-keys-for-principal-policy.html)
+ AWS API: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForCustomPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForCustomPolicy.html) and [https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForPrincipalPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetContextKeysForPrincipalPolicy.html)
**To simulate IAM policies (AWS CLI, AWS API)**
Use the following to simulate IAM policies to determine a user's effective permissions.
+ AWS CLI: [https://docs.aws.amazon.com/cli/latest/reference/iam/simulate-custom-policy.html](https://docs.aws.amazon.com/cli/latest/reference/iam/simulate-custom-policy.html) and [https://docs.aws.amazon.com/cli/latest/reference/iam/simulate-principal-policy.html](https://docs.aws.amazon.com/cli/latest/reference/iam/simulate-principal-policy.html)
+ AWS API: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulateCustomPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulateCustomPolicy.html) and [https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulatePrincipalPolicy.html)
# Adding and removing IAM identity permissions
You use policies to define the permissions for an identity (user, user group, or role). You can add and remove permissions by attaching and detaching IAM policies for an identity using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the AWS API. You can also use policies to set [permissions boundaries](access_policies_boundaries.md) for only entities (users or roles) that are using the same methods. Permissions boundaries are an advanced AWS feature that control the maximum permissions that an entity can have.
**Topics**
+ [Terminology](#attach-detach-etc-terminology)
+ [View identity activity](#attach-detach_prerequisites)
+ [Adding IAM identity permissions (console)](#add-policies-console)
+ [Removing IAM identity permissions (console)](#remove-policies-console)
+ [Adding IAM policies (AWS CLI)](#add-policy-cli)
+ [Removing IAM policies (AWS CLI)](#remove-policy-cli)
+ [Adding IAM policies (AWS API)](#add-policy-api)
+ [Removing IAM policies (AWS API)](#remove-policy-api)
## Terminology
When you associate permissions policies with identities (IAM users, IAM groups, and IAM roles), terminology and procedures vary depending on whether you are working with a managed or inline policy:
+ **Attach** – Used with managed policies. You attach a managed policy to an identity (a user, user group, or role). Attaching a policy applies the permissions in the policy to the identity.
+ **Detach** – Used with managed policies. You detach a managed policy from an IAM identity (a user, user group, or role). Detaching a policy removes its permissions from the identity.
+ **Embed** – Used with inline policies. You embed an inline policy in an identity (a user, user group, or role). Embedding a policy applies the permissions in the policy to the identity. Because an inline policy is stored in the identity, it is embedded rather than attached, though the results are similar.
**Note**
You can embed an inline policy for a *[service-linked role](id_roles.md#iam-term-service-linked-role)* only in the service that depends on the role. See the [AWS documentation](https://docs.aws.amazon.com/) for your service to see whether it supports this feature.
+ **Delete** – Used with inline policies. You delete an inline policy from an IAM identity (a user, user group, or role). Deleting a policy removes its permissions from the identity.
**Note**
You can delete an inline policy for a *[service-linked role](id_roles.md#iam-term-service-linked-role)* only in the service that depends on the role. See the [AWS documentation](https://docs.aws.amazon.com/) for your service to see whether it supports this feature.
You can use the console, AWS CLI, or AWS API to perform any of these actions.
### More information
+ For more information about the difference between managed and inline policies, see [Managed policies and inline policies](access_policies_managed-vs-inline.md).
+ For more information about permissions boundaries, see [Permissions boundaries for IAM entities](access_policies_boundaries.md).
+ For general information about IAM policies, see [Policies and permissions in AWS Identity and Access Management](access_policies.md).
+ For information about validating IAM policies, see [IAM policy validation](access_policies_policy-validator.md).
+ The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
## View identity activity
Before you change the permissions for an identity (user, user group, or role), you should review their recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
## Adding IAM identity permissions (console)
You can use the AWS Management Console to add permissions to an identity (user, user group, or role). To do this, attach managed policies that control permissions, or specify a policy that serves as a [permissions boundary](access_policies_boundaries.md). You can also embed an inline policy.
**To use a managed policy as a permissions policy for an identity (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, select the radio button next to the name of the policy to attach. You can use the search box to filter the list of policies.
1. Choose **Actions**, and then choose **Attach**.
1. Select one or more identities to attach the policy to. You can use the search box to filter the list of principal entities. After selecting the identities, choose **Attach policy**.
**To use a managed policy to set a permissions boundary (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, choose the name of the policy to set. You can use the search box to filter the list of policies.
1. On the policy details page, choose the **Entities attached** tab, and then, if necessary, open the **Attached as a permissions boundaries** section and choose **Set this policy as a permissions boundary**.
1. Select one or more users or roles on which to use the policy for a permissions boundary. You can use the search box to filter the list of principal entities. After selecting the principals, choose **Set permissions boundary**.
**To embed an inline policy for a user or role (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Users** or **Roles**.
1. In the list, choose the name of the user or role to embed a policy in.
1. Choose the **Permissions** tab.
1. Choose **Add permissions** and then choose **Create inline policy**.
**Note**
You cannot embed an inline policy in a *[service-linked role](id_roles.md#iam-term-service-linked-role)* in IAM. Because the linked service defines whether you can modify the permissions of the role, you might be able to add additional policies from the service console, API, or AWS CLI. To view the service-linked role documentation for a service, see [AWS services that work with IAM](reference_aws-services-that-work-with-iam.md) and choose **Yes** in the **Service-Linked Role** column for your service.
1. Choose from the following methods to view the steps required to create your policy:
+ [Importing existing managed policies](access_policies_create-console.md#access_policies_create-copy) – You can import a managed policy within your account and then edit the policy to customize it to your specific requirements. A managed policy can be an AWS managed policy or a customer managed policy that you created previously.
+ [Creating policies with the visual editor](access_policies_create-console.md#access_policies_create-visual-editor) – You can construct a new policy from scratch in the visual editor. If you use the visual editor, you do not have to understand JSON syntax.
+ [Creating policies using the JSON editor](access_policies_create-console.md#access_policies_create-json-editor) – In the **JSON** editor option, you can use JSON syntax to create a policy. You can type a new JSON policy document or paste an [example policy](access_policies_examples.md).
1. After you create an inline policy, it is automatically embedded in your user or role.
**To embed an inline policy for a user group (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **User groups**.
1. In the list, choose the name of the user group to embed a policy in.
1. Choose the **Permissions** tab, choose **Add permissions**, and then choose **Create inline policy**.
1. Do one of the following:
+ Choose the **Visual** option to create the policy. For more information, see [Creating policies with the visual editor](access_policies_create-console.md#access_policies_create-visual-editor).
+ Choose the **JSON** option to create the policy. For more information, see [Creating policies using the JSON editor](access_policies_create-console.md#access_policies_create-json-editor).
1. When you are satisfied with the policy, choose **Create policy**.
**To change the permissions boundary for one or more entities (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, choose the name of the policy to set. You can use the search box to filter the list of policies.
1. On the policy details page, choose the **Entities attached** tab, and then, if necessary, open the **Attached as a permissions boundary** section. Select the checkbox next to the users or roles whose boundaries you want to change and then choose **Change**.
1. Select a new policy to use for a permissions boundary. You can use the search box to filter the list of policies. After selecting the policy, choose **Set permissions boundary**.
## Removing IAM identity permissions (console)
You can use the AWS Management Console to remove permissions from an identity (user, user group, or role). To do this, detach managed policies that control permissions, or remove a policy that serves as a [permissions boundary](access_policies_boundaries.md). You can also delete an inline policy.
**To detach a managed policy used as a permissions policy (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, select the radio button next to the name of the policy to detach. You can use the search box to filter the list of policies.
1. Choose **Actions**, and then choose **Detach**.
1. Select the identities to detach the policy from. You can use the search box to filter the list of identities. After selecting the identities, choose **Detach policy**.
**To remove a permissions boundary (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, choose the name of the policy to set. You can use the search box to filter the list of policies.
1. On the policy summary page, choose the **Entities attached** tab, and then, if necessary, open the **Attached as a permissions boundary** section and choose the entities to remove the permissions boundary from. Then choose **Remove boundary**.
1. Confirm that you want to remove the boundary and choose **Remove boundary**.
**To delete an inline policy (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **User groups**, **Users**, or **Roles**.
1. In the list, choose the name of the user group, user, or role that has the policy you want to remove.
1. Choose the **Permissions** tab.
1. Select the checkbox next to the policy and choose **Remove**.
1. Choose **Remove** in the confirmation box.
## Adding IAM policies (AWS CLI)
You can use the AWS CLI to add permissions to an identity (user, user group, or role). To do this, attach managed policies that control permissions, or specify a policy that serves as a [permissions boundary](access_policies_boundaries.md). You can also embed an inline policy.
**To use a managed policy as a permissions policy for an entity (AWS CLI)**
1. (Optional) To view information about a managed policy, run the following commands:
+ To list managed policies: [aws iam list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)
+ To retrieve detailed information about a managed policy: [get-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html)
1. To attach a managed policy to an identity (user, user group, or role), use one of the following commands:
+ [aws iam attach-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-user-policy.html)
+ [aws iam attach-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-group-policy.html)
+ [aws iam attach-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/attach-role-policy.html)
**To use a managed policy to set a permissions boundary (AWS CLI)**
1. (Optional) To view information about a managed policy, run the following commands:
+ To list managed policies: [aws iam list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)
+ To retrieve detailed information about a managed policy: [aws iam get-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html)
1. To use a managed policy to set the permissions boundary for an entity (user or role), use one of the following commands:
+ [aws iam put-user-permissions-boundary](https://docs.aws.amazon.com/cli/latest/reference/iam/put-user-permissions-boundary.html)
+ [aws iam put-role-permissions-boundary](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-permissions-boundary.html)
**To embed an inline policy (AWS CLI)**
To embed an inline policy to an identity (user, user group, or role that is not a *[service-linked role](id_roles.md#iam-term-service-linked-role)*), use one of the following commands:
+ [aws iam put-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-user-policy.html)
+ [aws iam put-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-group-policy.html)
+ [aws iam put-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-policy.html)
## Removing IAM policies (AWS CLI)
You can use the AWS CLI to detach managed policies that control permissions, or remove a policy that serves as a [permissions boundary](access_policies_boundaries.md). You can also delete an inline policy.
**To detach a managed policy used as a permissions policy (AWS CLI)**
1. (Optional) To view information about a policy, run the following commands:
+ To list managed policies: [aws iam list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)
+ To retrieve detailed information about a managed policy: [aws iam get-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html)
1. (Optional) To find out about the relationships between the policies and identities, run the following commands:
+ To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached:
+ [aws iam list-entities-for-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html)
+ To list the managed policies attached to an identity (a user, user group, or role), use one of the following commands:
+ [aws iam list-attached-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-user-policies.html)
+ [aws iam list-attached-group-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-group-policies.html)
+ [aws iam list-attached-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-role-policies.html)
1. To detach a managed policy from an identity (user, user group, or role), use one of the following commands:
+ [aws iam detach-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html)
+ [aws iam detach-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/detach-group-policy.html)
+ [aws iam detach-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/detach-role-policy.html)
**To remove a permissions boundary (AWS CLI)**
1. (Optional) To view which managed policy is currently used to set the permissions boundary for a user or role, run the following commands:
+ [aws iam get-user](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user.html)
+ [aws iam get-role](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role.html)
1. (Optional) To view the users or roles on which a managed policy is used for a permissions boundary, run the following command:
+ [aws iam list-entities-for-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html)
1. (Optional) To view information about a managed policy, run the following commands:
+ To list managed policies: [aws iam list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)
+ To retrieve detailed information about a managed policy: [aws iam get-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html)
1. To remove a permissions boundary from a user or role, use one of the following commands:
+ [aws iam delete-user-permissions-boundary](https://docs.aws.amazon.com/cli/latest/reference/iam/detach-user-policy.html)
+ [aws iam delete-role-permissions-boundary](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-role-permissions-boundary.html)
**To delete an inline policy (AWS CLI)**
1. (Optional) To list all inline policies that are attached to an identity (user, user group, role), use one of the following commands:
+ [aws iam list-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-user-policies.html)
+ [aws iam list-group-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-group-policies.html)
+ [aws iam list-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-role-policies.html)
1. (Optional) To retrieve an inline policy document that is embedded in an identity (user, user group, or role), use one of the following commands:
+ [aws iam get-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user-policy.html)
+ [aws iam get-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-group-policy.html)
+ [aws iam get-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role-policy.html)
1. To delete an inline policy from an identity (user, user group, or role that is not a *[service-linked role](id_roles.md#iam-term-service-linked-role)*), use one of the following commands:
+ [aws iam delete-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-user-policy.html)
+ [aws iam delete-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-group-policy.html)
+ [aws iam delete-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-role-policy.html)
## Adding IAM policies (AWS API)
You can use the AWS API to attach managed policies that control permissions or specify a policy that serves as a [permissions boundary](access_policies_boundaries.md). You can also embed an inline policy.
**To use a managed policy as a permissions policy for an entity (AWS API)**
1. (Optional) To view information about a policy, call the following operations:
+ To list managed policies: [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)
+ To retrieve detailed information about a managed policy: [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html)
1. To attach a managed policy to an identity (user, user group, or role), call one of the following operations:
+ [AttachUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachUserPolicy.html)
+ [AttachGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachGroupPolicy.html)
+ [AttachRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AttachRolePolicy.html)
**To use a managed policy to set a permissions boundary (AWS API)**
1. (Optional) To view information about a managed policy, call the following operations:
+ To list managed policies: [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)
+ To retrieve detailed information about a managed policy: [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html)
1. To use a managed policy to set the permissions boundary for an entity (user or role), call one of the following operations:
+ [PutUserPermissionsBoundary](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPermissionsBoundary.html)
+ [PutRolePermissionsBoundary](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePermissionsBoundary.html)
**To embed an inline policy (AWS API)**
To embed an inline policy in an identity (user, user group, or role that is not a *[service-linked role](id_roles.md#iam-term-service-linked-role)*), call one of the following operations:
+ [PutUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html)
+ [PutGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html)
+ [PutRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html)
## Removing IAM policies (AWS API)
You can use the AWS API to detach managed policies that control permissions or remove a policy that serves as a [permissions boundary](access_policies_boundaries.md). You can also delete an inline policy.
**To detach a managed policy used as a permissions policy (AWS API)**
1. (Optional) To view information about a policy, call the following operations:
+ To list managed policies: [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)
+ To retrieve detailed information about a managed policy: [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html)
1. (Optional) To find out about the relationships between the policies and identities, call the following operations:
+ To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached:
+ [ListEntitiesForPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListEntitiesForPolicy.html)
+ To list the managed policies attached to an identity (a user, user group, or role), call one of the following operations:
+ [ListAttachedUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedUserPolicies.html)
+ [ListAttachedGroupPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedGroupPolicies.html)
+ [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html)
1. To detach a managed policy from an identity (user, user group, or role), call one of the following operations:
+ [DetachUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html)
+ [DetachGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachGroupPolicy.html)
+ [DetachRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachRolePolicy.html)
**To remove a permissions boundary (AWS API)**
1. (Optional) To view which managed policy is currently used to set the permissions boundary for a user or role, call the following operations:
+ [GetUser](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUser.html)
+ [GetRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRole.html)
1. (Optional) To view the users or roles on which a managed policy is used for a permissions boundary, call the following operation:
+ [ListEntitiesForPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListEntitiesForPolicy.html)
1. (Optional) To view information about a managed policy, call the following operations:
+ To list managed policies: [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)
+ To retrieve detailed information about a managed policy: [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html)
1. To remove a permissions boundary from a user or role, call one of the following operations:
+ [DeleteUserPermissionsBoundary](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPermissionsBoundary.html)
+ [DeleteRolePermissionsBoundary](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePermissionsBoundary.html)
**To delete an inline policy (AWS API)**
1. (Optional) To list all inline policies that are attached to an identity (user, user group, role), call one of the following operations:
+ [ListUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html)
+ [ListGroupPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroupPolicies.html)
+ [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html)
1. (Optional) To retrieve an inline policy document that is embedded in an identity (user, user group, or role), call one of the following operations:
+ [GetUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUserPolicy.html)
+ [GetGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetGroupPolicy.html)
+ [GetRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html)
1. To delete an inline policy from an identity (user, user group, or role that is not a *[service-linked role](id_roles.md#iam-term-service-linked-role)*), call one of the following operations:
+ [DeleteUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html)
+ [DeleteGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html)
+ [DeleteRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html)
# Versioning IAM policies
When you make changes to an IAM customer managed policy, and when AWS makes changes to an AWS managed policy, the changed policy doesn't overwrite the existing policy. Instead, IAM creates a new *version* of the managed policy. IAM stores up to five versions of your customer managed policies. IAM does not support versioning for inline policies.
The following diagram illustrates versioning for a customer managed policy. In this example, the versions 1-4 are saved. You can have up to five managed policy versions saved to IAM. When you edit a policy that would create a sixth saved version, you can choose which older version should no longer be saved. You can revert to any of the other four saved versions at any time.
![\[Changes to managed policies become new versions of the policy\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-managed-policies-versions-overview.diagram.png)
A policy version is different from a `Version` policy element. The `Version` policy element is used within a policy and defines the version of the policy language. To learn more about the `Version` policy element see [IAM JSON policy elements: Version](reference_policies_elements_version.md).
You can use versions to track changes to a managed policy. For example, you might make a change to a managed policy and then discover that the change had unintended effects. In this case, you can roll back to a previous version of the managed policy by setting the previous version as the *default* version.
The following topics explain how you can use versioning for managed policies.
**Topics**
+ [Version limits](#version-limits)
+ [Use versions to roll back changes](#versions-roll-back)
+ [Permissions for setting the default version of a policy](#policy-version-permissions)
+ [Setting the default version of customer managed policies](#default-version)
## Version limits
A managed policy can have up to five versions. If you need to make changes to a managed policy beyond five versions from the AWS Command Line Interface, or the AWS API, you must first delete one or more existing versions. If you use the AWS Management Console, you do not have to delete a version before editing your policy. When you save a sixth version, a dialog box appears that prompts you to delete one or more nondefault versions of your policy. You can view the JSON policy document for each version to help you decide. For details about this dialog box, see [Edit IAM policies](access_policies_manage-edit.md).
You can delete any version of the managed policy that you want, except for the default version. When you delete a version, the version identifiers for the remaining versions do not change. As a result, version identifiers might not be sequential. For example, if you delete versions v2 and v4 of a managed policy and add two new versions, the remaining version identifiers might be v1, v3, v5, v6, and v7.
## Use versions to roll back changes
You can set the default version of a customer managed policy to roll back your changes. For example, consider the following scenario:
You create a customer managed policy that allows users to administer a particular Amazon S3 bucket using the AWS Management Console. Upon creation, your customer managed policy has only one version, identified as v1, so that version is automatically set as the default. The policy works as intended.
Later, you update the policy to add permission to administer a second Amazon S3 bucket. IAM creates a new version of the policy, identified as v2, that contains your changes. You set version v2 as the default, and a short time later your users report that they lack permission to use the Amazon S3 console. In this case, you can roll back to version v1 of the policy, which you know works as intended. To do this, you set version v1 as the default version. Your users are now able to use the Amazon S3 console to administer the original bucket.
Later, after you determine the error in version v2 of the policy, you update the policy again to add permission to administer the second Amazon S3 bucket. IAM creates another new version of the policy, identified as v3. You set version v3 as the default, and this version works as intended. At this point, you delete version v2 of the policy.
## Permissions for setting the default version of a policy
The permissions that are required to set the default version of a policy correspond to the AWS API operations for the task. You can use the `CreatePolicyVersion` or `SetDefaultPolicyVersion` API operations to set the default version of a policy. To allow someone to set the default policy version of an existing policy, you can allow access to either the `iam:CreatePolicyVersion` action or the `iam:SetDefaultPolicyVersion` action. The `iam:CreatePolicyVersion` action allows them to create a new version of the policy and to set that version as the default. The `iam:SetDefaultPolicyVersion` action allows them to set any existing version of the policy as the default.
**Important**
To prevent a user from making changes to the default version of a policy, you must deny both `iam:CreatePolicyVersion` and `iam:SetDefaultPolicyVersion`.
You can use the following policy to deny a user access to change an existing customer managed policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"iam:CreatePolicyVersion",
"iam:SetDefaultPolicyVersion"
],
"Resource": "arn:aws:iam::*:policy/POLICY-NAME"
}
]
}
```
------
## Setting the default version of customer managed policies
One of the versions of a managed policy is set as the *default* version. The policy's default version is the operative version—that is, it's the version that is in effect for all of the principal entities (IAM users, IAM groups, and IAM roles) that the managed policy is attached to.
When you create a customer managed policy, the policy begins with a single version identified as v1. For managed policies with only a single version, that version is automatically set as the default. For customer managed policies with more than one version, you choose which version to set as the default. For AWS managed policies, the default version is set by AWS. The following diagrams illustrate this concept.
![\[Managed policy with a single version, which is the default version\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-managed-policies-versions-default-one.diagram.png)
![\[Customer managed policy with three versions, where version v2 is the default version.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-managed-policies-versions-default-multiple.diagram.png)
You can set the default version of a customer managed policy to apply that version to every IAM identity (user, user group, and role) where the policy is attached. You cannot set the default version for an AWS managed policy or an inline policy.
**To set the default version of a customer managed policy (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, choose the policy name of the policy to set the default version of. You can use the search box to filter the list of policies.
1. Choose the **Policy versions** tab. Select the checkbox next to the version that you want to set as the default version, and then choose **Set as default**.
To learn how to set the default version of a customer managed policy from the AWS Command Line Interface or the AWS API, see [Edit IAM policies (AWS CLI)](access_policies_manage-edit-cli.md).
# Edit IAM policies
A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. Policies are stored in AWS as JSON documents and are attached to principals as *identity-based policies* in IAM. You can attach an identity-based policy to a principal (or identity), such as an IAM user group, user, or role. Identity-based policies include AWS managed policies, customer managed policies, and [inline policies](access_policies_managed-vs-inline.md). You can edit customer managed policies and inline policies in IAM. AWS managed policies cannot be edited. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
It's generally better to use customer managed policies instead of inline policies or AWS managed policies. AWS managed policies usually provide broad administrative or read-only permissions. Inline policies can't be reused on other identities or managed outside of the identity where they exist. For the greatest security, [grant the least privilege](best-practices.md#grant-least-privilege), which means granting only the permissions required to perform specific job tasks.
When you create or edit IAM policies, AWS can automatically perform policy validation to help you create an effective policy with least privilege in mind. In the AWS Management Console, IAM identifies JSON syntax errors, while IAM Access Analyzer provides additional policy checks with recommendations to help you further refine your policies. To learn more about policy validation, see [IAM policy validation](access_policies_policy-validator.md). To learn more about IAM Access Analyzer policy checks and actionable recommendations, see [IAM Access Analyzer policy validation](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-validation.html).
You can use the AWS Management Console, AWS CLI, or AWS API to edit customer managed policies and inline policies in IAM. For more information about using CloudFormation templates to add or update policies, see [AWS Identity and Access Management resource type reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/AWS_IAM.html) in the *CloudFormation User Guide*.
**Topics**
+ [Edit IAM policies (console)](access_policies_manage-edit-console.md)
+ [Edit IAM policies (AWS CLI)](access_policies_manage-edit-cli.md)
+ [Edit IAM policies (AWS API)](access_policies_manage-edit-api.md)
# Edit IAM policies (console)
A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS Management Console to edit *customer managed policies* and *inline policies* in IAM. AWS managed policies cannot be edited. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
For more information about policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md).
## Prerequisites
Before you change the permissions for a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
## Editing customer managed policies (console)
You can edit customer managed policies to change the permissions that are defined in the policy from the AWS Management Console. A customer managed policy can have up to five versions. This is important because if you make changes to a managed policy beyond five versions, the AWS Management Console prompts you to decide which version to delete. You can also change the default version or delete a version of a policy before you edit it to avoid being prompted. To learn more about versions, see [Versioning IAM policies](access_policies_managed-versioning.md).
------
#### [ Console ]
**To edit a customer managed policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, choose the policy name of the policy to edit. You can use the search box to filter the list of policies.
1. Choose the **Permissions** tab, and then choose **Edit**.
1. Do one of the following:
+ Choose the **Visual** option to change your policy without understanding JSON syntax. You can make changes to the service, actions, resources, or optional conditions for each permission block in your policy. You can also import a policy to add additional permissions to the bottom of your policy. When you are finished making changes, choose **Next** to continue.
+ Choose the **JSON** option to modify your policy by typing or pasting text in the JSON text box. You can also import a policy to add additional permissions to the bottom of your policy. Resolve any security warnings, errors, or general warnings generated during [policy validation](access_policies_policy-validator.md), and then choose **Next**.
**Note**
You can switch between the **Visual** and **JSON** editor options any time. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).
1. On the **Review and save** page, review **Permissions defined in this policy** and then choose **Save changes** to save your work.
1. If the managed policy already has the maximum of five versions, choosing **Save changes** displays a dialog box. To save your new version, the oldest non-default version of the policy is removed and replaced with this new version. Optionally, you can set the new version as the default policy version.
Choose **Save changes** to save your new policy version.
------
## Setting the default version of a customer managed policy (console)
You can set a default version of a customer managed policy from the AWS Management Console. You can use this policy to establish a consistent baseline configuration for permissions across your organization. All new attachments of the policy will use this standardized set of permissions.
------
#### [ Console ]
**To set the default version of a customer managed policy (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, choose the policy name of the policy to set the default version of. You can use the search box to filter the list of policies.
1. Choose the **Policy versions** tab. Select the check box next to the version that you want to set as the default version, and then choose **Set as default**.
------
## Deleting a version of a customer managed policy (console)
You might need to delete a version of a customer managed policy to remove outdated or incorrect permissions that are no longer needed or pose potential security risks. By maintaining only necessary versions, you can help ensure that you stay within the limit of five managed policy versions, allowing room for future updates and refinements. You can delete a version of a customer managed policy from the AWS Management Console.
------
#### [ Console ]
**To delete a version of a customer managed policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Choose the name of the customer managed policy that has a version you want to delete. You can use the search box to filter the list of policies.
1. Choose the **Policy versions** tab. Select the check box next to the version that you want to delete. Then choose **Delete**.
1. Confirm that you want to delete the version, and then choose **Delete**.
------
## Editing inline policies (console)
You might need to edit a customer managed policy to update or refine the permissions granted, ensuring they remain aligned with your organization's evolving security requirements and access control needs. Editing allows you to adjust the policy's JSON document, adding, modifying, or removing specific actions, resources, or conditions to maintain the principle of least privilege and adapt to changes in your environment or processes. You can edit an inline policy from the AWS Management Console.
------
#### [ Console ]
**To edit an inline policy for a user, user group, or role**
1. In the navigation pane, choose **Users**, **User groups**, or **Roles**.
1. Choose the name of the user, user group, or role with the policy that you want to modify. Then choose the **Permissions** tab and expand the policy.
1. To edit an inline policy, choose **Edit Policy**.
1. Do one of the following:
+ Choose the **Visual** option to change your policy without understanding JSON syntax. You can make changes to the service, actions, resources, or optional conditions for each permission block in your policy. You can also import a policy to add additional permissions to the bottom of your policy. When you are finished making changes, choose **Next** to continue.
+ Choose the **JSON** option to modify your policy by typing or pasting text in the JSON text box. You can also import a policy to add additional permissions to the bottom of your policy. Resolve any security warnings, errors, or general warnings generated during [policy validation](access_policies_policy-validator.md), and then choose **Next**. To save your changes without affecting the currently attached entities, clear the check box for **Save as default version**.
**Note**
You can switch between the **Visual** and **JSON** editor options any time. However, if you make changes or choose **Next** in the **Visual** editor, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).
1. On the **Review** page, review the policy summary and then choose **Save changes** to save your work.
------
# Edit IAM policies (AWS CLI)
A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS Command Line Interface (AWS CLI) to edit *customer managed policies* and *inline policies* in IAM. AWS managed policies cannot be edited. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
For more information about policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md).
## Prerequisites
Before you change the permissions for a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
## Editing customer managed policies (AWS CLI)
You can edit a customer managed policy from the AWS CLI.
**Note**
A managed policy can have up to five versions. If you need to make changes to a customer managed policy beyond five versions, you must first delete one or more existing versions.
**To edit a customer managed policy (AWS CLI)**
1. (Optional) To view information about a policy, run the following commands:
+ To list managed policies: [list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)
+ To retrieve detailed information about a managed policy: [get-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html)
1. (Optional) To find out about the relationships between the policies and identities, run the following commands:
+ To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached:
+ [list-entities-for-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html)
+ To list the managed policies attached to an identity (a user, user group, or role):
+ [list-attached-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-user-policies.html)
+ [list-attached-group-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-group-policies.html)
+ [list-attached-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-role-policies.html)
1. To edit a customer managed policy, run the following command:
+ [create-policy-version](https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy-version.html)
1. (Optional) To validate a customer managed policy, run the following IAM Access Analyzer command:
+ [validate-policy](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/validate-policy.html)
## Setting the default version of a customer managed policy (AWS CLI)
You can set a default version of a customer managed policy from the AWS CLI.
**To set the default version of a customer managed policy (AWS CLI)**
1. (Optional) To list managed policies, run the following command:
+ [list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)
1. To set the default version of a customer managed policy, run the following command:
+ [set-default-policy-version](https://docs.aws.amazon.com/cli/latest/reference/iam/set-default-policy-version.html)
## Deleting a version of a customer managed policy (AWS CLI)
You can delete a version of a customer managed policy from the AWS CLI.
**To delete a version of a customer managed policy (AWS CLI)**
1. (Optional) To list managed policies, run the following command:
+ [list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)
1. To delete a customer managed policy, run the following command:
+ [delete-policy-version](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy-version.html)
## Editing inline policies (AWS CLI)
You can edit an inline policy from the AWS CLI.
**To edit an inline policy (AWS CLI)**
1. (Optional) To view information about a policy, run the following commands:
+ To list inline policies associated to an identity (a user, user group, or role):
+ [list-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-user-policies.html)
+ [list-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-role-policies.html)
+ [list-group-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-group-policies.html)
+ To retrieve detailed information about a inline policy:
+ [get-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user-policy.html)
+ [get-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role-policy.html)
+ [get-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-group-policy.html)
1. To edit an inline policy, run the following command:
+ [put-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-user-policy.html)
+ [put-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-role-policy.html)
+ [put-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/put-group-policy.html)
1. (Optional) To validate an inline policy, run the following IAM Access Analyzer command:
+ [validate-policy](https://docs.aws.amazon.com/cli/latest/reference/accessanalyzer/validate-policy.html)
# Edit IAM policies (AWS API)
A [policy](access_policies.md) is an entity that, when attached to an identity or resource, defines their permissions. You can use the AWS API to edit *customer managed policies* and *inline policies* in IAM. AWS managed policies cannot be edited. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
For more information about policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md).
## Prerequisites
Before you change the permissions for a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
## Editing customer managed policies (AWS API)
You can edit a customer managed policy using the AWS API.
**Note**
A managed policy can have up to five versions. If you need to make changes to a customer managed policy beyond five versions, you must first delete one or more existing versions.
**To edit a customer managed policy (AWS API)**
1. (Optional) To view information about a policy, call the following operations:
+ To list managed policies: [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)
+ To retrieve detailed information about a managed policy: [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html)
1. (Optional) To find out about the relationships between the policies and identities, call the following operations:
+ To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached:
+ [ListEntitiesForPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListEntitiesForPolicy.html)
+ To list the managed policies attached to an identity (a user, user group, or role):
+ [ListAttachedUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedUserPolicies.html)
+ [ListAttachedGroupPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedGroupPolicies.html)
+ [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html)
1. To edit a customer managed policy, call the following operation:
+ [CreatePolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicyVersion.html)
1. (Optional) To validate a customer managed policy, call the following IAM Access Analyzer operation:
+ [ValidatePolicy](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html)
## Setting the default version of a customer managed policy (AWS API)
You can set a default version of a customer managed policy from the AWS API.
**To set the default version of a customer managed policy (AWS API)**
1. (Optional) To list managed policies, call the following operation:
+ [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)
1. To set the default version of a customer managed policy, call the following operation:
+ [SetDefaultPolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_SetDefaultPolicyVersion.html)
## Deleting a version of a customer managed policy (AWS API)
You can delete a version of a customer managed policy from the AWS API.
**To delete a version of a customer managed policy (AWS API)**
1. (Optional) To list managed policies, call the following operation:
+ [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)
1. To delete a customer managed policy, call the following operation:
+ [DeletePolicyVersion](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicyVersion.html)
## Editing inline policies (AWS API)
You can edit an inline policy from the AWS API.
**To edit an inline policy (AWS API)**
1. (Optional) To view information about an inline policy, run the following operations:
+ To list inline policies associated to an identity (a user, user group, or role):
+ [ListUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html)
+ [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html)
+ [ListGroupPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroupPolicies.html)
+ To retrieve detailed information about an inline policy:
+ [GetUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUserPolicy.html)
+ [GetRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html)
+ [GetGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetGroupPolicy.html)
1. To edit an inline policy, run the following operations:
+ [PutUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutUserPolicy.html)
+ [PutRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutRolePolicy.html)
+ [PutGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_PutGroupPolicy.html)
1. (Optional) To validate an inline policy, run the following IAM Access Analyzer operation:
+ [ValidatePolicy](https://docs.aws.amazon.com/access-analyzer/latest/APIReference/API_ValidatePolicy.html)
# Delete IAM policies
You can delete IAM policies using the AWS Management Console, the AWS Command Line Interface (AWS CLI), or the AWS API.
**Note**
Deletion of IAM policies is permanent. After the policy is deleted it cannot be recovered.
For more information about IAM policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md).
For more information about the difference between managed and inline policies, see [Managed policies and inline policies](access_policies_managed-vs-inline.md).
The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
**Topics**
+ [Delete IAM policies (console)](access_policies_manage-delete-console.md)
+ [Delete IAM policies (AWS CLI)](access_policies_manage-delete-cli.md)
+ [Delete IAM policies (AWS API)](access_policies_manage-delete-api.md)
# Delete IAM policies (console)
You can use the AWS Management Console to delete *customer managed policies* and *inline policies* in IAM. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
**Note**
Deletion of IAM policies is permanent. After the policy is deleted it cannot be recovered.
For more information about IAM policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md).
For more information about the difference between managed and inline policies, see [Managed policies and inline policies](access_policies_managed-vs-inline.md).
## Prerequisites
Before you delete a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
## Deleting IAM policies (console)
You might need to delete a customer managed policy when it becomes obsolete or no longer aligns with your organization's security requirements and access control needs. By deleting unnecessary policies, you reduce potential security risks associated with outdated or unused policies. You can delete a customer managed policy to remove it from your AWS account. You cannot delete AWS managed policies.
------
#### [ Console ]
**To delete a customer managed policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. Select the radio button next to the customer managed policy to delete. You can use the search box to filter the list of policies.
1. Choose **Actions**, and then choose **Delete**.
1. Follow the instructions to confirm that you want to delete the policy, and then choose **Delete**.
------
## Deleting inline policies (console)
You might need to delete an inline policy when the specific permissions it grants are no longer required for the IAM user, group, or role to which it's directly attached. Deleting unnecessary inline policies helps reduce the risk of unintended access, especially since inline policies can't be reused or shared across multiple identities like managed policies can. You can delete an inline policy to remove it from your AWS account. You cannot delete AWS managed policies.
------
#### [ Console ]
**To delete an inline policy for a IAM user, group, or role**
1. In the navigation pane, choose **User groups**, **Users**, or **Roles**.
1. Choose the name of the user group, user, or role with the policy that you want to delete. Then choose the **Permissions** tab.
1. Select the checkboxes next to the policies to delete and choose **Remove**. Then, in the confirmation dialog, confirm the removal and deletion of the policy.
+ To delete an inline policy in **Users** or **Roles**, choose **Remove** to confirm the deletion.
+ If you are deleting a single inline policy in **User groups**, type the name of the policy and choose **Delete**. If you are deleting multiple inline policies in **User groups**, type the number of policies you are deleting followed by **inline policies** and choose **Delete**. For example, if you are deleting three inline policies, type **3 inline policies**.
------
# Delete IAM policies (AWS CLI)
You can use the AWS Command Line Interface (AWS CLI) to delete *customer managed policies* and *inline policies* in IAM. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
**Note**
Deletion of IAM policies is permanent. After the policy is deleted it cannot be recovered.
For more information about IAM policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md).
For more information about the difference between managed and inline policies, see [Managed policies and inline policies](access_policies_managed-vs-inline.md).
## Prerequisites
Before you delete a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
## Deleting customer managed policies (AWS CLI)
You can delete a customer managed policy from the AWS Command Line Interface.
**To delete a customer managed policy (AWS CLI)**
1. (Optional) To view information about a policy, run the following commands:
+ To list managed policies: [list-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies.html)
+ To retrieve detailed information about a managed policy: [get-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-policy.html)
1. (Optional) To find out about the relationships between the policies and identities, run the following commands:
+ To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached, run the following command:
+ [list-entities-for-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/list-entities-for-policy.html)
+ To list the managed policies attached to an identity (a user, user group, or role), run one of the following commands:
+ [list-attached-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-user-policies.html)
+ [list-attached-group-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-group-policies.html)
+ [list-attached-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-attached-role-policies.html)
1. To delete a customer managed policy, run the following command:
+ [delete-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-policy.html)
## Deleting inline policies (AWS CLI)
You can delete an inline policy from the AWS CLI.
**To delete an inline policy (AWS CLI)**
1. (Optional) To list all inline policies that are attached to an identity (user, user group, role), use one of the following commands:
+ [aws iam list-user-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-user-policies.html)
+ [aws iam list-group-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-group-policies.html)
+ [aws iam list-role-policies](https://docs.aws.amazon.com/cli/latest/reference/iam/list-role-policies.html)
1. (Optional) To retrieve an inline policy document that is embedded in an identity (user, user group, or role), use one of the following commands:
+ [aws iam get-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-user-policy.html)
+ [aws iam get-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-group-policy.html)
+ [aws iam get-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/get-role-policy.html)
1. To delete an inline policy from an identity (user, user group, or role that is not a *[service-linked role](id_roles.md#iam-term-service-linked-role)*), use one of the following commands:
+ [aws iam delete-user-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-user-policy.html)
+ [aws iam delete-group-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-group-policy.html)
+ [aws iam delete-role-policy](https://docs.aws.amazon.com/cli/latest/reference/iam/delete-role-policy.html)
# Delete IAM policies (AWS API)
You can use the AWS API to delete *customer managed policies* and *inline policies* in IAM. The number and size of IAM resources in an AWS account are limited. For more information, see [IAM and AWS STS quotas](reference_iam-quotas.md).
**Note**
Deletion of IAM policies is permanent. After the policy is deleted it cannot be recovered.
For more information about IAM policy structure and syntax, see [Policies and permissions in AWS Identity and Access Management](access_policies.md) and the [IAM JSON policy element reference](reference_policies_elements.md).
For more information about the difference between managed and inline policies, see [Managed policies and inline policies](access_policies_managed-vs-inline.md).
## Prerequisites
Before you delete a policy, you should review its recent service-level activity. This is important because you don't want to remove access from a principal (person or application) who is using it. For more information about viewing last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
## Deleting customer managed policies (AWS API)
You can delete a customer managed policy using the AWS API.
**To delete a customer managed policy (AWS API)**
1. (Optional) To view information about a policy, call the following operations:
+ To list managed policies: [ListPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPolicies.html)
+ To retrieve detailed information about a managed policy: [GetPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetPolicy.html)
1. (Optional) To find out about the relationships between the policies and identities, call the following operations:
+ To list the identities (IAM users, IAM groups, and IAM roles) to which a managed policy is attached, call the following operation:
+ [ListEntitiesForPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListEntitiesForPolicy.html)
+ To list the managed policies attached to an identity (a user, user group, or role), call one of the following operations:
+ [ListAttachedUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedUserPolicies.html)
+ [ListAttachedGroupPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedGroupPolicies.html)
+ [ListAttachedRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedRolePolicies.html)
1. To delete a customer managed policy, call the following operation:
+ [DeletePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeletePolicy.html)
## Deleting inline policies (AWS API)
You can delete an inline policy using the AWS API.
**To delete an inline policy (AWS API)**
1. (Optional) To list all inline policies that are attached to an identity (user, user group, role), call one of the following operations:
+ [ListUserPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html)
+ [ListGroupPolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroupPolicies.html)
+ [ListRolePolicies](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListRolePolicies.html)
1. (Optional) To retrieve an inline policy document that is embedded in an identity (user, user group, or role), call one of the following operations:
+ [GetUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUserPolicy.html)
+ [GetGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetGroupPolicy.html)
+ [GetRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetRolePolicy.html)
1. To delete an inline policy from an identity (user, user group, or role that is not a *[service-linked role](id_roles.md#iam-term-service-linked-role)*), call one of the following operations:
+ [DeleteUserPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html)
+ [DeleteGroupPolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroupPolicy.html)
+ [DeleteRolePolicy](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteRolePolicy.html)
# Refine permissions in AWS using last accessed information
As an administrator, you might grant permissions to IAM resources (roles, users, user groups, or policies) beyond what they require. IAM provides last accessed information to help you identify unused permissions so that you can remove them. You can use last accessed information to refine your policies and allow access to only the services and actions that your IAM identities and policies use. This helps you to better adhere to the [best practice of least privilege.](best-practices.md#grant-least-privilege) You can view last accessed information for identities or policies that exist in IAM or AWS Organizations.
You can continuously monitor last accessed information with unused access analyzers. For more information, see [Findings for external and unused access](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-findings.html).
**Topics**
+ [Last accessed information types for IAM](#access_policies_last-accessed-data-types)
+ [Last accessed information for AWS Organizations](#access_policies_last-accessed-orgs)
+ [Things to know about last accessed information](#access_policies_last-accessed-know)
+ [Permissions required](#access_policies_last-accessed-permissions)
+ [Troubleshoot activity for IAM and AWS Organizations entities](#access_policies_last-accessed-troubleshooting)
+ [Where AWS tracks last accessed information](#last-accessed_tracking-period)
+ [View last accessed information for IAM](access_policies_last-accessed-view-data.md)
+ [View last accessed information for AWS Organizations](access_policies_last-accessed-view-data-orgs.md)
+ [Example scenarios for using last accessed information](access_policies_last-accessed-example-scenarios.md)
+ [IAM action last accessed information services and actions](access_policies_last-accessed-action-last-accessed.md)
## Last accessed information types for IAM
You can view two types of last accessed information for IAM identities: allowed AWS service information and allowed action information. The information includes the date and time when the attempt to access an AWS API was made. For actions, last accessed information reports service management actions. Management actions include creation, deletion, and modification actions. To learn more about how to view last accessed information for IAM, see [View last accessed information for IAM](access_policies_last-accessed-view-data.md).
For example scenarios for using last accessed information to make decisions about the permissions that you grant to your IAM identities, see [Example scenarios for using last accessed information](access_policies_last-accessed-example-scenarios.md).
To learn more about how the information for management actions is provided, see [Things to know about last accessed information](#access_policies_last-accessed-know).
## Last accessed information for AWS Organizations
If you sign in using management account credentials, you can view service last accessed information for an AWS Organizations entity or policy in your organization. AWS Organizations entities include the organization root, organizational units (OUs), or accounts. Last accessed information for AWS Organizations includes information about services that are allowed by a service control policy (SCP). The information indicates which principals (root user, IAM user, or role) in an organization or account last attempted to access the service and when. To learn more about the report and how to view last accessed information for AWS Organizations, see [View last accessed information for AWS Organizations](access_policies_last-accessed-view-data-orgs.md).
For example scenarios for using last accessed information to make decisions about the permissions that you grant to your AWS Organizations entities, see [Example scenarios for using last accessed information](access_policies_last-accessed-example-scenarios.md).
## Things to know about last accessed information
Before you use last accessed information from a report to change the permissions for an IAM identity or AWS Organizations entity, review the following details about the information.
+ **Tracking period** – Recent activity appears in the IAM console within four hours. The tracking period for service information is at least 400 days depending on when the service started tracking actions information. The tracking period for Amazon S3 actions information began on April, 12, 2020. The tracking period for Amazon EC2, IAM, and Lambda actions began on April 7, 2021. The tracking period for all other services began on May 23, 2023. For a list of services for which action last accessed information is available, see [IAM action last accessed information services and actions](access_policies_last-accessed-action-last-accessed.md). For more information on which Regions action last accessed information is available in, see [Where AWS tracks last accessed information](#last-accessed_tracking-period).
+ **Attempts reported** – The service last accessed data includes all attempts to access an AWS API, not just the successful attempts. This includes all attempts that were made using the AWS Management Console, the AWS API through any of the SDKs, or any of the command line tools. An unexpected entry in the service last accessed data does not mean that your account has been compromised, because the request might have been denied. Refer to your CloudTrail logs as the authoritative source for information about all API calls and whether they were successful or denied access.
+ **PassRole** – The `iam:PassRole` action is not tracked and is not included in IAM action last accessed information.
+ **Action last accessed information** – Action last accessed information is available for service management actions accessed by IAM identities. See the [list of services and their actions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_last-accessed-action-last-accessed.html#access_policies_last-accessed-action-last-accessed-supported-actions) for which action last accessed reports information.
**Note**
Action last accessed information is not available for any data plane event.
+ **Management events** – IAM provides action information for service management events that are logged by CloudTrail. Sometimes, CloudTrail management events are also called control plane operations or control plane events. Management events provide visibility into administrative operations that are performed on resources in your AWS account. To learn more about management events in CloudTrail, see [Logging management events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/logging-management-events-with-cloudtrail.html) in the *AWS CloudTrail User Guide*.
+ **Report owner** – Only the principal that generates a report can view the report details. This means that when you view the information in the AWS Management Console, you might have to wait for it to generate and load. If you use the AWS CLI or AWS API to get report details, your credentials must match the credentials of the principal that generated the report. If you use temporary credentials for a role or AWS STS federated user principal, you must generate and retrieve the report during the same session. For more information about assumed-role session principals, see [AWS JSON policy elements: Principal](reference_policies_elements_principal.md).
+ **IAM resources** – The last accessed information for IAM includes IAM resources (roles, users, IAM groups, and policies) in your account. Last accessed information for AWS Organizations includes principals (IAM users, IAM roles, or the AWS account root user) in the specified AWS Organizations entity. The last accessed information does not include unauthenticated attempts.
+ **IAM policy types** – The last accessed information for IAM includes services that are allowed by an IAM identity's policies. These are policies attached to a role or attached to a user directly or through a group. Access allowed by other policy types is not included in your report. The excluded policy types include resource-based policies, access control lists, AWS Organizations SCPs, IAM permissions boundaries, and session policies. Permissions that are provided by service-linked roles are defined by the service that they are linked to and can't be modified in IAM. To learn more about service-linked roles, see [Create a service-linked role](id_roles_create-service-linked-role.md) To learn how the different policy types are evaluated to allow or deny access, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
+ **AWS Organizations policy types** – The information for AWS Organizations includes only services that are allowed by an AWS Organizations entity's inherited service control policies (SCPs). SCPs are policies attached to a root, OU, or account. Access allowed by other policy types is not included in your report. The excluded policy types include identity-based policies, resource-based policies, access control lists, IAM permissions boundaries, and session policies. To learn how the different policy types are evaluated to allow or deny access, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
+ **Specifying a policy ID** – When you use the AWS CLI or AWS API to generate a report for last accessed information in AWS Organizations, you can optionally specify a policy ID. The resulting report includes information for the services that are allowed by only that policy. The information includes the most recent account activity in the specified AWS Organizations entity or the entity's children. For more information, see [aws iam generate-organizations-access-report](https://docs.aws.amazon.com/cli/latest/reference/iam/generate-organizations-access-report.html) or [GenerateOrganizationsAccessReport](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateOrganizationsAccessReport.html).
+ **AWS Organizations management account** – You must sign in to your organization's management account to view service last accessed information. You can choose to view information for the management account using the IAM console, the AWS CLI, or the AWS API. The resulting report lists all AWS services, because the management account is not limited by SCPs. If you specify a policy ID in the CLI or API, the policy is ignored. For each service, the report includes information for only the management account. However, reports for other AWS Organizations entities do not return information for activity in the management account.
+ **AWS Organizations settings** – An administrator must [enable SCPs in your organization root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#enable_policies_on_root) before you can generate data for AWS Organizations.
## Permissions required
To view the last accessed information in the AWS Management Console, you must have a policy that grants the necessary permissions.
### Permissions for IAM information
To use the IAM console to view the last accessed information for an IAM user, role, or policy, you must have a policy that includes the following actions:
+ `iam:GenerateServiceLastAccessedDetails`
+ `iam:Get*`
+ `iam:List*`
These permissions allow a user to see the following:
+ Which users, groups, or roles are attached to a [managed policy](https://docs.aws.amazon.com/glossary/latest/reference/glos-chap.html#managed_policy)
+ Which services a user or role can access
+ The last time they accessed the service
+ The last time they attempted to use a specific Amazon EC2, IAM, Lambda, or Amazon S3 action
To use the AWS CLI or AWS API to view last accessed information for IAM, you must have permissions that match the operation you want to use:
+ `iam:GenerateServiceLastAccessedDetails`
+ `iam:GetServiceLastAccessedDetails`
+ `iam:GetServiceLastAccessedDetailsWithEntities`
+ `iam:ListPoliciesGrantingServiceAccess`
This example shows how you might create an identity-based policy that allows viewing IAM last accessed information. Additionally, it allows read-only access to all of IAM. This policy defines permissions for programmatic and console access.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:GenerateServiceLastAccessedDetails",
"iam:Get*",
"iam:List*"
],
"Resource": "*"
}
}
```
------
### Permissions for AWS Organizations information
To use the IAM console to view a report for the root, OU, or account entities in AWS Organizations, you must have a policy that includes the following actions:
+ `iam:GenerateOrganizationsAccessReport`
+ `iam:GetOrganizationsAccessReport`
+ `organizations:DescribeAccount`
+ `organizations:DescribeOrganization`
+ `organizations:DescribeOrganizationalUnit`
+ `organizations:DescribePolicy`
+ `organizations:ListChildren`
+ `organizations:ListParents`
+ `organizations:ListPoliciesForTarget`
+ `organizations:ListRoots`
+ `organizations:ListTargetsForPolicy`
To use the AWS CLI or AWS API to view service last accessed information for AWS Organizations, you must have a policy that includes the following actions:
+ `iam:GenerateOrganizationsAccessReport`
+ `iam:GetOrganizationsAccessReport`
+ `organizations:DescribePolicy`
+ `organizations:ListChildren`
+ `organizations:ListParents`
+ `organizations:ListPoliciesForTarget`
+ `organizations:ListRoots`
+ `organizations:ListTargetsForPolicy`
This example shows how you might create an identity-based policy that allows viewing service last accessed information for AWS Organizations. Additionally, it allows read-only access to all of AWS Organizations. This policy defines permissions for programmatic and console access.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"iam:GenerateOrganizationsAccessReport",
"iam:GetOrganizationsAccessReport",
"organizations:Describe*",
"organizations:List*"
],
"Resource": "*"
}
}
```
------
You can also use the [iam:OrganizationsPolicyId](reference_policies_iam-condition-keys.md#ck_OrganizationsPolicyId) condition key to allow generating a report only for a specific AWS Organizations policy. For an example policy, see [IAM: View service last accessed information for an AWS Organizations policy](reference_policies_examples_iam_service-accessed-data-orgs.md).
## Troubleshoot activity for IAM and AWS Organizations entities
In some cases, your AWS Management Console last accessed information table might be empty. Or perhaps your AWS CLI or AWS API request returns an empty set of information or a null field. In these cases, review the following issues:
+ For action last accessed information, an action that you are expecting to see might not be returned in the list. This can happen either because the IAM identity does not have permissions for the action, or AWS does not yet track the action for last accessed information.
+ For an IAM user, make sure that the user has at least one inline or managed policy attached, either directly or through group memberships.
+ For an IAM group, verify that the group has at least one inline or managed policy attached.
+ For an IAM group, the report returns only the service last accessed information for members that used the group's policies to access a service. To learn whether a member used other policies, review the last accessed information for that user.
+ For an IAM role, verify that the role has at least one inline or managed policy attached.
+ For an IAM entity (user or role), review other policy types that might affect the permissions of that entity. These include resource-based policies, access control lists, AWS Organizations policies, IAM permissions boundaries, or session policies. For more information, see [Policy types](access_policies.md#access_policy-types) or [Policy evaluation for requests within a single account](reference_policies_evaluation-logic_policy-eval-basics.md).
+ For an IAM policy, make sure that the specified managed policy is attached to at least one user, group with members, or role.
+ For an AWS Organizations entity (root, OU, or account), make sure that you are signed using AWS Organizations management account credentials.
+ Verify that [SCPs are enabled in your organization root](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies.html#enable_policies_on_root).
+ Action last accessed information is only available for the actions listed in [IAM action last accessed information services and actions](access_policies_last-accessed-action-last-accessed.md).
When you make changes, wait at least four hours for activity to appear in your IAM console report. If you use the AWS CLI or AWS API, you must generate a new report to view the updated information.
## Where AWS tracks last accessed information
AWS collects last accessed information for the standard AWS Regions. When AWS adds additional Regions, those Regions are added to the following table, including the date that AWS started tracking information in each Region.
+ **Service information** – The tracking period for services is at least 400 days, or less if your Region began tracking this feature within the last 400 days.
+ **Actions information** – The tracking period for Amazon S3 management actions began on April, 12, 2020. The tracking period for Amazon EC2, IAM, and Lambda management actions began on April 7, 2021. The tracking period for management actions of all other services began on May 23, 2023. If a Region's tracking date is later than May 23, 2023, then action last accessed information from that Region will start at the later date.
| Region name | Region | Tracking start date |
| --- | --- | --- |
| US East (Ohio) | us-east-2 | October 27, 2017 |
| US East (N. Virginia) | us-east-1 | October 1, 2015 |
| US West (N. California) | us-west-1 | October 1, 2015 |
| US West (Oregon) | us-west-2 | October 1, 2015 |
| Africa (Cape Town) | af-south-1 | April 22, 2020 |
| Asia Pacific (Hong Kong) | ap-east-1 | April 24, 2019 |
| Asia Pacific (Hyderabad) | ap-south-2 | November 22, 2022 |
| Asia Pacific (Jakarta) | ap-southeast-3 | December 13, 2021 |
| Asia Pacific (Melbourne) | ap-southeast-4 | January 23, 2023 |
| Asia Pacific (Mumbai) | ap-south-1 | June 27, 2016 |
| Asia Pacific (Osaka) | ap-northeast-3 | February 11, 2018 |
| Asia Pacific (Seoul) | ap-northeast-2 | January 6, 2016 |
| Asia Pacific (Singapore) | ap-southeast-1 | October 1, 2015 |
| Asia Pacific (Sydney) | ap-southeast-2 | October 1, 2015 |
| Asia Pacific (Tokyo) | ap-northeast-1 | October 1, 2015 |
| Canada (Central) | ca-central-1 | October 28, 2017 |
| Europe (Frankfurt) | eu-central-1 | October 1, 2015 |
| Europe (Ireland) | eu-west-1 | October 1, 2015 |
| Europe (London) | eu-west-2 | October 28, 2017 |
| Europe (Milan) | eu-south-1 | April 28, 2020 |
| Europe (Paris) | eu-west-3 | December 18, 2017 |
| Europe (Spain) | eu-south-2 | November 15, 2022 |
| Europe (Stockholm) | eu-north-1 | December 12, 2018 |
| Europe (Zurich) | eu-central-2 | November 8, 2022 |
| Israel (Tel Aviv) | il-central-1 | August 1, 2023 |
| Middle East (Bahrain) | me-south-1 | July 29, 2019 |
| Middle East (UAE) | me-central-1 | August 30, 2022 |
| South America (São Paulo) | sa-east-1 | December 11, 2015 |
| AWS GovCloud (US-East) | us-gov-east-1 | July 1, 2023 |
| AWS GovCloud (US-West) | us-gov-west-1 | July 1, 2023 |
If a Region is not listed in the previous table, then that Region does not yet provide last accessed information.
An AWS Region is a collection of AWS resources in a geographic area. Regions are grouped into partitions. The standard Regions are the Regions that belong to the `aws` partition. For more information about the different partitions, see [Amazon Resource Names (ARNs) Format](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-syntax) in the AWS General Reference. For more information about Regions, see [About AWS Regions](https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#region-what-is) also in the AWS General Reference.
# View last accessed information for IAM
You can view last accessed information for IAM using the AWS Management Console, AWS CLI, or AWS API. See the [list of services and their actions](access_policies_last-accessed-action-last-accessed.md) for which last accessed information is displayed. For more information about last accessed information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
You can view information for the following resource types in IAM. In each case, the information includes allowed services for the given reporting period:
+ **User** – View the last time that the user attempted to access each allowed service.
+ **User group** – View information about the last time that a user group member attempted to access each allowed service. This report also includes the total number of members that attempted access.
+ **Role** – View the last time that someone used the role in an attempt to access each allowed service.
+ **Policy** – View information about the last time that a user or role attempted to access each allowed service. This report also includes the total number of entities that attempted access.
**Note**
Before you view the access information for a resource in IAM, make sure you understand the reporting period, reported entities, and the evaluated policy types for your information. For more details, see [Things to know about last accessed information](access_policies_last-accessed.md#access_policies_last-accessed-know).
## Viewing information for IAM (console)
You can view last accessed information for IAM on the **Last Accessed** tab in the IAM console.
**To view information for IAM (console)**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose either **User groups**, **Users**, **Roles**, or **Policies**.
1. Choose any user, user group, role, or policy name to open its **Summary** page and choose the **Last Accessed** tab. View the following information, based on the resource that you chose:
+ **User group** – View the list of services that user group members can access. You can also view when a member last accessed the service, what user group policies they used, and which user group member made the request. Choose the name of the policy to learn whether it is a managed policy or an inline user group policy. Choose the name of the user group member to see all of the members of the user group and when they last accessed the service.
+ **User** – View the list of services that the user can access. You can also view when they last accessed the service, and what policies are currently associated with the user. Choose the name of the policy to learn whether it is a managed policy, an inline user policy, or an inline policy for the user group.
+ **Role** – View the list of services that the role can access, when the role last accessed the service, and what policies were used. Choose the name of the policy to learn whether it is a managed policy or an inline role policy.
+ **Policy** – View the list of services with allowed actions in the policy. You can also view when the policy was last used to access the service, and which entity (user or role) used the policy. The **Last accessed** date also includes when access is granted to this policy through another policy. Choose the name of the entity to learn which entities have this policy attached and when they last accessed the service.
1. In the **Service** column of the table, choose the name of [one of the services that includes action last accessed information](access_policies_last-accessed-action-last-accessed.md) to view a list of management actions that IAM entities have attempted to access. You can view the AWS Region and a timestamp that shows when someone last attempted to perform the action.
1. The **Last accessed** column is displayed for services and management actions of [the services that include action last accessed information](access_policies_last-accessed-action-last-accessed.md). Review the following possible results that are returned in this column. These results vary depending on whether a service or action is allowed, was accessed, and whether it is tracked by AWS for last accessed information.
** days ago**
The number of days since the service or action was used in the tracking period. The tracking period for services is for the last 400 days. The tracking period for Amazon S3 actions started on April 12, 2020. The tracking period for Amazon EC2, IAM, and Lambda actions started on April 7, 2021. The tracking period for all other services began on May 23, 2023. To learn more about the tracking start dates for each AWS Region, see [Where AWS tracks last accessed information](access_policies_last-accessed.md#last-accessed_tracking-period).
**Not accessed in the tracking period**
The tracked service or action has not been used by an entity in the tracking period.
It is possible for you to have permissions for an action that doesn't appear in the list. This can happen if the tracking information for the action is not currently included by AWS. You should not make permissions decisions based solely on the absence of tracking information. Instead, we recommend that you use this information to inform and support your overall strategy of granting least privilege. Check your policies to confirm that the level of access is appropriate.
## Viewing information for IAM (AWS CLI)
You can use the AWS CLI to retrieve information about the last time that an IAM resource was used to attempt to access AWS services and Amazon S3, Amazon EC2, IAM, and Lambda actions. An IAM resource can be a user, user group, role, or policy.
**To view information for IAM (AWS CLI)**
1. Generate a report. The request must include the ARN of the IAM resource (user, user group, role, or policy) for which you want a report. You can specify the level of granularity that you want to generate in the report to view access details for either services or both services and actions. The request returns a `job-id` that you can then use in the `get-service-last-accessed-details` and `get-service-last-accessed-details-with-entities` operations to monitor the `job-status` until the job is complete.
+ [aws iam generate-service-last-accessed-details](https://docs.aws.amazon.com/cli/latest/reference/iam/generate-service-last-accessed-details.html)
1. Retrieve details about the report using the `job-id` parameter from the previous step.
+ [aws iam get-service-last-accessed-details](https://docs.aws.amazon.com/cli/latest/reference/iam/get-service-last-accessed-details.html)
This operation returns the following information, based on the type of resource and level of granularity that you requested in the `generate-service-last-accessed-details` operation:
+ **User** – Returns a list of services that the specified user can access. For each service, the operation returns the date and time of the user's last attempt and the ARN of the user.
+ **User group** – Returns a list of services that members of the specified user group can access using the policies attached to the user group. For each service, the operation returns the date and time of the last attempt made by any user group member. It also returns the ARN of that user and the total number of user group members that have attempted to access the service. Use the [GetServiceLastAccessedDetailsWithEntities](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLastAccessedDetailsWithEntities.html) operation to retrieve a list of all of the members.
+ **Role** – Returns a list of services that the specified role can access. For each service, the operation returns the date and time of the role's last attempt and the ARN of the role.
+ **Policy** – Returns a list of services for which the specified policy allows access. For each service, the operation returns the date and time that an entity (user or role) last attempted to access the service using the policy. It also returns the ARN of that entity and the total number of entities that attempted access.
1. Learn more about the entities that used user group or policy permissions in an attempt to access a specific service. This operation returns a list of entities with each entity's ARN, ID, name, path, type (user or role), and when they last attempted to access the service. You can also use this operation for users and roles, but it only returns information about that entity.
+ [aws iam get-service-last-accessed-details-with-entities](https://docs.aws.amazon.com/cli/latest/reference/iam/get-service-last-accessed-details-with-entities.html)
1. Learn more about the identity-based policies that an identity (user, user group, or role) used in an attempt to access a specific service. When you specify an identity and service, this operation returns a list of permissions policies that the identity can use to access the specified service. This operation gives the current state of policies and does not depend on the generated report. It also does not return other policy types, such as resource-based policies, access control lists, AWS Organizations policies, IAM permissions boundaries, or session policies. For more information, see [Policy types](access_policies.md#access_policy-types) or [Policy evaluation for requests within a single account](reference_policies_evaluation-logic_policy-eval-basics.md).
+ [aws iam list-policies-granting-service-access](https://docs.aws.amazon.com/cli/latest/reference/iam/list-policies-granting-service-access.html)
## Viewing information for IAM (AWS API)
You can use the AWS API to retrieve information about the last time that an IAM resource was used to attempt to access AWS services and Amazon S3, Amazon EC2, IAM, and Lambda actions. An IAM resource can be a user, user group, role, or policy. You can specify the level of granularity to generate in the report to view details for either services or both services and actions.
**To view information for IAM (AWS API)**
1. Generate a report. The request must include the ARN of the IAM resource (user, user group, role, or policy) for which you want a report. It returns a `JobId` that you can then use in the `GetServiceLastAccessedDetails` and `GetServiceLastAccessedDetailsWithEntities` operations to monitor the `JobStatus` until the job is complete.
+ [GenerateServiceLastAccessedDetails](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateServiceLastAccessedDetails.html)
1. Retrieve details about the report using the `JobId` parameter from the previous step.
+ [GetServiceLastAccessedDetails](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLastAccessedDetails.html)
This operation returns the following information, based on the type of resource and level of granularity that you requested in the `GenerateServiceLastAccessedDetails` operation:
+ **User** – Returns a list of services that the specified user can access. For each service, the operation returns the date and time of the user's last attempt and the ARN of the user.
+ **User group** – Returns a list of services that members of the specified user group can access using the policies attached to the user group. For each service, the operation returns the date and time of the last attempt made by any user group member. It also returns the ARN of that user and the total number of user group members that have attempted to access the service. Use the [GetServiceLastAccessedDetailsWithEntities](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLastAccessedDetailsWithEntities.html) operation to retrieve a list of all of the members.
+ **Role** – Returns a list of services that the specified role can access. For each service, the operation returns the date and time of the role's last attempt and the ARN of the role.
+ **Policy** – Returns a list of services for which the specified policy allows access. For each service, the operation returns the date and time that an entity (user or role) last attempted to access the service using the policy. It also returns the ARN of that entity and the total number of entities that attempted access.
1. Learn more about the entities that used user group or policy permissions in an attempt to access a specific service. This operation returns a list of entities with each entity's ARN, ID, name, path, type (user or role), and when they last attempted to access the service. You can also use this operation for users and roles, but it only returns information about that entity.
+ [GetServiceLastAccessedDetailsWithEntities](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetServiceLastAccessedDetailsWithEntities.html)
1. Learn more about the identity-based policies that an identity (user, user group, or role) used in an attempt to access a specific service. When you specify an identity and service, this operation returns a list of permissions policies that the identity can use to access the specified service. This operation gives the current state of policies and does not depend on the generated report. It also does not return other policy types, such as resource-based policies, access control lists, AWS Organizations policies, IAM permissions boundaries, or session policies. For more information, see [Policy types](access_policies.md#access_policy-types) or [Policy evaluation for requests within a single account](reference_policies_evaluation-logic_policy-eval-basics.md).
+ [ListPoliciesGrantingServiceAccess](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListPoliciesGrantingServiceAccess.html)
# View last accessed information for AWS Organizations
You can view service last accessed information for AWS Organizations using the IAM console, AWS CLI, or AWS API. For important information about the data, permissions required, troubleshooting, and supported Regions, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
When you sign in to the IAM console using AWS Organizations management account credentials, you can view information for any entity in your organization. AWS Organizations entities include the organization root, organizational units (OUs), and accounts. You can also use the IAM console to view information for any service control policies (SCPs) in your organization. IAM shows a list of services that are allowed by any SCPs that apply to the entity. For each service, you can view the most recent account activity information for the chosen AWS Organizations entity or the entity's children.
When you use the AWS CLI or AWS API with management account credentials, you can generate a report for any entities or policies in your organization. A programmatic report for an entity includes a list of services that are allowed by any SCPs that apply to the entity. For each service, the report includes the most recent activity for accounts in the specified AWS Organizations entity or the entity's subtree.
When you generate a programmatic report for a policy, you must specify an AWS Organizations entity. This report includes a list of services that are allowed by the specified SCP. For each service, it includes the most recent account activity in the entity or entity's children that are granted permission by that policy. For more information, see [aws iam generate-organizations-access-report](https://docs.aws.amazon.com/cli/latest/reference/iam/generate-organizations-access-report.html) or [GenerateOrganizationsAccessReport](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateOrganizationsAccessReport.html).
Before you view the report, make sure that you understand the management account requirements and information, reporting period, reported entities, and the evaluated policy types. For more details, see [Things to know about last accessed information](access_policies_last-accessed.md#access_policies_last-accessed-know).
## Understand the AWS Organizations entity path
When you use the AWS CLI or AWS API to generate an AWS Organizations access report, you must specify an entity path. A path is a text representation of the structure of an AWS Organizations entity.
You can build an entity path using the known structure of your organization. For example, assume that you have the following organizational structure in AWS Organizations.
![\[Organization path structure\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/ou-path-diagram.png)
The path for the **Dev Managers** OU is built using the IDs of the organization, root, and all OUs in the path down to and including the OU.
```
o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-ghi0-awsccccc/ou-jkl0-awsddddd/
```
The path for the account in the **Production** OU is built using the IDs of the organization, root, the OU, and the account number.
```
o-a1b2c3d4e5/r-f6g7h8i9j0example/ou-abc0-awsaaaaa/111111111111/
```
**Note**
Organization IDs are globally unique but OU IDs and root IDs are unique only within an organization. This means that no two organizations share the same organization ID. However, another organization might have an OU or root with the same ID as yours. We recommend that you always include the organization ID when you specify an OU or root.
## Viewing information for AWS Organizations (console)
You can use the IAM console to view service last accessed information for your root, OU, account, or policy.
**To view information for the root (console)**
1. Sign in to the AWS Management Console using AWS Organizations management account credentials, and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane below the **Access reports** section, choose **Organization activity**.
1. On the **Organization activity** page, choose **Root**.
1. On the **Details and activity** tab, view the **Service access report** section. The information includes a list of services that are allowed by the policies that are attached directly to the root. The information shows you from which account the service was last accessed and when. For more details about which principal accessed the service, sign in as an administrator in that account and [view the IAM service last accessed information](access_policies_last-accessed-view-data.md).
1. Choose the **Attached SCPs** tab to view the list of the service control policies (SCPs) that are attached to the root. IAM shows you the number of target entities to which each policy is attached. You can use this information to decide which SCP to review.
1. Choose the name of an SCP to view all of the services that the policy allows. For each service, view from which account the service was last accessed, and when.
1. Choose **Edit in AWS Organizations** to view additional details and edit the SCP in the AWS Organizations console. For more information, see [Updating an SCP](https://docs.aws.amazon.com/organizations/latest/userguide/create-policy.html#update_policy) in the *AWS Organizations User Guide*.
**To view information for an OU or account (console)**
1. Sign in to the AWS Management Console using AWS Organizations management account credentials, and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane below the **Access reports** section, choose **Organization activity**.
1. On the **Organization activity** page, expand the structure of your organization. Then choose the name of the OU or any account that you want to view except the management account.
1. On the **Details and activity** tab, view the **Service access report** section. The information includes a list of services that are allowed by the SCPs attached to the OU or account *and* all of its parents. The information shows you from which account the service was last accessed and when. For more details about which principal accessed the service, sign in as an administrator in that account and [view the IAM service last accessed information](access_policies_last-accessed-view-data.md).
1. Choose the **Attached SCPs** tab to view the list of the service control policies (SCPs) that are attached directly to the OU or account. IAM shows you the number of target entities to which each policy is attached. You can use this information to decide which SCP to review.
1. Choose the name of an SCP to view all of the services that the policy allows. For each service, view from which account the service was last accessed, and when.
1. Choose **Edit in AWS Organizations** to view additional details and edit the SCP in the AWS Organizations console. For more information, see [Updating an SCP](https://docs.aws.amazon.com/organizations/latest/userguide/create-policy.html#update_policy) in the *AWS Organizations User Guide*.
**To view information for the management account (console)**
1. Sign in to the AWS Management Console using AWS Organizations management account credentials, and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane below the **Access reports** section, choose **Organization activity**.
1. On the **Organization activity** page, expand the structure of your organization and choose the name your management account.
1. On the **Details and activity** tab, view the **Service access report** section. The information includes a list of all AWS services. The management account is not limited by SCPs. The information shows you whether the account last accessed the service and when. For more details about which principal accessed the service, sign in as an administrator in that account and [view the IAM service last accessed information](access_policies_last-accessed-view-data.md).
1. Choose the **Attached SCPs** tab to confirm that there are no attached SCPs because the account is the management account.
**To view information for a policy (console)**
1. Sign in to the AWS Management Console using AWS Organizations management account credentials, and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane below the **Access reports** section, choose **Service control policies (SCPs)**.
1. On the **Service control policies (SCPs)** page, view a list of the policies in your organization. You can view the number of target entities to which each policy is attached.
1. Choose the name of an SCP to view all of the services that the policy allows. For each service, view from which account the service was last accessed, and when.
1. Choose **Edit in AWS Organizations** to view additional details and edit the SCP in the AWS Organizations console. For more information, see [Updating an SCP](https://docs.aws.amazon.com/organizations/latest/userguide/create-policy.html#update_policy) in the *AWS Organizations User Guide*.
## Viewing information for AWS Organizations (AWS CLI)
You can use the AWS CLI to retrieve service last accessed information for your AWS Organizations root, OU, account, or policy.
**To view AWS Organizations service last accessed information (AWS CLI)**
1. Use your AWS Organizations management account credentials with the required IAM and AWS Organizations permissions, and confirm that SCPs are enabled for your root. For more information, see [Things to know about last accessed information](access_policies_last-accessed.md#access_policies_last-accessed-know).
1. Generate a report. The request must include the path of the AWS Organizations entity (root, OU, or account) for which you want a report. You can optionally include an `organization-policy-id` parameter to view a report for a specific policy. The command returns a `job-id` that you can then use in the `get-organizations-access-report` command to monitor the `job-status` until the job is complete.
+ [aws iam generate-organizations-access-report](https://docs.aws.amazon.com/cli/latest/reference/iam/generate-organizations-access-report.html)
1. Retrieve details about the report using the `job-id` parameter from the previous step.
+ [aws iam get-organizations-access-report](https://docs.aws.amazon.com/cli/latest/reference/iam/get-organizations-access-report.html)
This command returns a list of services that entity members can access. For each service, the command returns the date and time of an account member's last attempt and the entity path of the account. It also returns the total number of services that are available to access and the number of services that were not accessed. If you specified the optional `organizations-policy-id` parameter, then the services that are available to access are those that are allowed by the specified policy.
## Viewing information for AWS Organizations (AWS API)
You can use the AWS API to retrieve service last accessed information for your AWS Organizations root, OU, account, or policy.
**To view AWS Organizations service last accessed information (AWS API)**
1. Use your AWS Organizations management account credentials with the required IAM and AWS Organizations permissions, and confirm that SCPs are enabled for your root. For more information, see [Things to know about last accessed information](access_policies_last-accessed.md#access_policies_last-accessed-know).
1. Generate a report. The request must include the path of the AWS Organizations entity (root, OU, or account) for which you want a report. You can optionally include an `OrganizationsPolicyId` parameter to view a report for a specific policy. The operation returns a `JobId` that you can then use in the `GetOrganizationsAccessReport` operation to monitor the `JobStatus` until the job is complete.
+ [GenerateOrganizationsAccessReport](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GenerateOrganizationsAccessReport.html)
1. Retrieve details about the report using the `JobId` parameter from the previous step.
+ [GetOrganizationsAccessReport](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetOrganizationsAccessReport.html)
This operation returns a list of services that entity members can access. For each service, the operation returns the date and time of an account member's last attempt and the entity path of the account. It also returns the total number of services that are available to access, and the number of services that were not accessed. If you specified the optional `OrganizationsPolicyId` parameter, then the services that are available to access are those that are allowed by the specified policy.
# Example scenarios for using last accessed information
You can use last accessed information to make decisions about the permissions that you grant to your IAM entities or AWS Organizations entities. For more information, see [Refine permissions in AWS using last accessed information](access_policies_last-accessed.md).
**Note**
Before you view the access information for an entity or policy in IAM or AWS Organizations, make sure that you understand the reporting period, reported entities, and the evaluated policy types for your data. For more details, see [Things to know about last accessed information](access_policies_last-accessed.md#access_policies_last-accessed-know).
It's up to you as an administrator to balance the accessibility and least privilege that's appropriate for your company.
## Using information to reduce permissions for an IAM group
You can use last accessed information to reduce IAM group permissions to include only those services that your users need. This method is an important step in [granting least privilege](best-practices.md#grant-least-privilege) at a service level.
For example, Paulo Santos is the administrator in charge of defining AWS user permissions for Example Corp. This company just started using AWS, and the software development team has not yet defined what AWS services they will use. Paulo wants to give the team permission to access only the services they need, but since that is not yet defined, he temporarily gives them power-user permissions. Then he uses last accessed information to reduce the group's permissions.
Paulo creates a managed policy named `ExampleDevelopment` using the following JSON text. He then attaches it to a group named `Development` and adds all of the developers to the group.
**Note**
Paulo's power users might need `iam:CreateServiceLinkedRole` permissions to use some services and features. He understands that adding this permission allows the users to create any service-linked role. He accepts this risk for his power users.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "FullAccessToAllServicesExceptPeopleManagement",
"Effect": "Allow",
"NotAction": [
"iam:*",
"organizations:*"
],
"Resource": "*"
},
{
"Sid": "RequiredIamAndOrgsActions",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization"
],
"Resource": "*"
}
]
}
```
------
Paulo decides to wait for 90 days before he [views the last accessed information](access_policies_last-accessed-view-data.md#access_policies_last-accessed-viewing) for the `Development` group using the AWS Management Console. He views the list of services that the group members accessed. He learns that the users accessed five services within the last week: AWS CloudTrail, Amazon CloudWatch Logs, Amazon EC2, AWS KMS, and Amazon S3. They accessed a few other services when they were first evaluating AWS, but not since then.
Paulo decides to reduce the policy permissions to include only those five services and the required IAM and AWS Organizations actions. He edits `ExampleDevelopment` policy using the following JSON text.
**Note**
Paulo's power users might need `iam:CreateServiceLinkedRole` permissions to use some services and features. He understands that adding this permission allows the users to create any service-linked role. He accepts this risk for his power users.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "FullAccessToListedServices",
"Effect": "Allow",
"Action": [
"s3:*",
"kms:*",
"cloudtrail:*",
"logs:*",
"ec2:*"
],
"Resource": "*"
},
{
"Sid": "RequiredIamAndOrgsActions",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:ListRoles",
"organizations:DescribeOrganization"
],
"Resource": "*"
}
]
}
```
------
To further reduce permissions, Paulo can view the account's events in AWS CloudTrail **Event history**. There he can view detailed event information that he can use to reduce the policy's permissions to include only the actions and resources that the developers need. For more information, see [Viewing CloudTrail Events in the CloudTrail Console](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html) in the *AWS CloudTrail User Guide*.
## Using information to reduce permissions for an IAM user
You can use last accessed information to reduce the permissions for an individual IAM user.
For example, Martha Rivera is an IT administrator responsible for ensuring that people in her company do not have excess AWS permissions. As part of a periodic security check, she reviews the permissions of all IAM users. One of these users is an application developer named Nikhil Jayashankar, who previously filled the role of a security engineer. Because of the change in job requirements, Nikhil is a member of both the `app-dev` group and the `security-team` group. The `app-dev` group for his new job grants permissions to multiple services including Amazon EC2, Amazon EBS, Auto Scaling, Amazon S3, Route 53, and Elastic Transcoder. The `security-team` group for his old job grants permissions to IAM and CloudTrail.
As an administrator, Martha signs into the IAM console and chooses **Users**, chooses the name `nikhilj`, and then chooses the **Last Accessed** tab.
Martha reviews the **Last Accessed** column and notices that Nikhil has not recently accessed IAM, CloudTrail, Route 53, Amazon Elastic Transcoder, and a number of other AWS services. Nikhil has accessed Amazon S3. Martha chooses **S3** from the list of services and learns that Nikhil has performed some Amazon S3 `List` actions in the last two weeks. Within her company, Martha confirms that Nikhil has no business need to access IAM and CloudTrail anymore because he is no longer a member of the internal security team.
Martha is now ready to act on the service and action last accessed information. However, unlike the group in the previous example, an IAM user like `nikhilj` might be subject to multiple policies and be a member of multiple groups. Martha must proceed with caution to avoid inadvertently disrupting access for `nikhilj` or other group members. In addition to learning what access Nikhil should have, she must determine *how* he is receiving these permissions.
Martha chooses the **Permissions** tab, where she views which policies are attached directly to `nikhilj` and those attached from a group. She expands each policy and views the policy summary to learn which policy allows access to the services that Nikhil is not using:
+ IAM – The `IAMFullAccess` AWS managed policy is attached directly to `nikhilj` and attached to the `security-team` group.
+ CloudTrail – The `AWSCloudTrailReadOnlyAccess` AWS managed policy is attached to the `security-team` group.
+ Route 53 – The `App-Dev-Route53` customer managed policy is attached to the `app-dev` group.
+ Elastic Transcoder – The `App-Dev-ElasticTranscoder` customer managed policy is attached to the `app-dev` group.
Martha decides to remove the `IAMFullAccess` AWS managed policy that is attached directly to `nikhilj`. She also removes Nikhil's membership to the `security-team` group. These two actions remove the unnecessary access to IAM and CloudTrail.
Nikhil's permissions to access to Route 53 and Elastic Transcoder are granted by the `app-dev` group. Although Nikhil isn't using those services, other members of the group might be. Martha reviews the last accessed information for the `app-dev` group and learns that several members recently accessed Route 53 and Amazon S3. But no group members have accessed Elastic Transcoder in the last year. She removes the `App-Dev-ElasticTranscoder` customer managed policy from the group.
Martha then reviews the last accessed information for the `App-Dev-ElasticTranscoder` customer managed policy. She learns that the policy is not attached to any other IAM identities. She investigates within her company to make sure that the policy will not be needed in the future, and then she deletes it.
## Using information before deleting IAM resources
You can use last accessed information before you delete an IAM resource to make sure that a certain amount of time has passed since someone last used the resource. This applies to users, groups, roles, and policies. To learn more about these actions, see the following topics:
+ **IAM users** – [Remove or deactivate an IAM user](id_users_remove.md)
+ **Groups** – [Delete an IAM group](id_groups_manage_delete.md)
+ **Roles** – [Delete roles or instance profiles](id_roles_manage_delete.md)
+ **Policies** – [Delete IAM policies (this also detaches the policy from identities)](access_policies_manage-delete.md)
## Using information before editing IAM policies
You can review last accessed information for an IAM identity (user, group, or role), or for an IAM policy before editing a policy that affects that resource. This is important because you don't want to remove access for someone that is using it.
For example, Arnav Desai is a developer and AWS administrator for Example Corp. When his team started using AWS, they gave all developers power-user access that allowed them full access to all services except IAM and AWS Organizations. As a first step towards [granting least privilege](best-practices.md#grant-least-privilege), Arnav wants to use the AWS CLI to review the managed policies in his account.
To do this, Arnav first lists the customer managed permissions policies in his account that are attached to an identity, using the following command:
```
aws iam list-policies --scope Local --only-attached --policy-usage-filter PermissionsPolicy
```
From the response, he captures the ARN for each policy. Arnav then generates a report for last accessed information for each policy using the following command.
```
aws iam generate-service-last-accessed-details --arn arn:aws:iam::123456789012:policy/ExamplePolicy1
```
From that response, he captures the ID of the generated report from the `JobId` field. Arnav then polls the following command until the `JobStatus` field returns a value of `COMPLETED` or `FAILED`. If the job failed, he captures the error.
```
aws iam get-service-last-accessed-details --job-id 98a765b4-3cde-2101-2345-example678f9
```
When the job has a status of `COMPLETED`, Arnav parses the contents of the JSON-formatted `ServicesLastAccessed` array.
```
"ServicesLastAccessed": [
{
"TotalAuthenticatedEntities": 1,
"LastAuthenticated": 2018-11-01T21:24:33.222Z,
"ServiceNamespace": "dynamodb",
"LastAuthenticatedEntity": "arn:aws:iam::123456789012:user/IAMExampleUser",
"ServiceName": "Amazon DynamoDB"
},
{
"TotalAuthenticatedEntities": 0,
"ServiceNamespace": "ec2",
"ServiceName": "Amazon EC2"
},
{
"TotalAuthenticatedEntities": 3,
"LastAuthenticated": 2018-08-25T15:29:51.156Z,
"ServiceNamespace": "s3",
"LastAuthenticatedEntity": "arn:aws:iam::123456789012:role/IAMExampleRole",
"ServiceName": "Amazon S3"
}
]
```
From this information, Arnav learns that the `ExamplePolicy1` policy allows access to three services, Amazon DynamoDB, Amazon S3, and Amazon EC2. The IAM user named `IAMExampleUser` last attempted to access DynamoDB on November 1, and someone used the `IAMExampleRole` role to attempt to access Amazon S3 on August 25. There are also two more entities that attempted to access Amazon S3 in the last year. However, nobody has attempted to access Amazon EC2 in the last year.
This means that Arnav can safely remove the Amazon EC2 actions from the policy. Arnav wants to review the current JSON document for the policy. First, he must determine the version number of the policy using the following command.
```
aws iam list-policy-versions --policy-arn arn:aws:iam::123456789012:policy/ExamplePolicy1
```
From the response, Arnav collects the current default version number from the `Versions` array. He then uses that version number (`v2`) to request the JSON policy document using the following command.
```
aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/ExamplePolicy1 --version-id v2
```
Arnav stores the JSON policy document returned in the `Document` field of the `PolicyVersion` array. Within the policy document, Arnav searches for actions with in the `ec2` namespace. If there are no actions from other namespaces remaining in the policy, then he detaches the policy from the affected identities (users, groups, and roles). He then deletes the policy. In this case, the policy does include the Amazon DynamoDB and Amazon S3 services. So Arnav removes the Amazon EC2 actions from the document and saves his changes. He then uses the following command to update the policy using the new version of the document and to set that version as the default policy version.
```
aws iam create-policy-version --policy-arn arn:aws:iam::123456789012:policy/ExamplePolicy1 --policy-document file://UpdatedPolicy.json --set-as-default
```
The `ExamplePolicy1` policy is now updated to remove access to the unnecessary Amazon EC2 service.
## Other IAM scenarios
Information about when an IAM resource (user, group, role, or policy) last attempted to access a service can help you when you complete any of the following tasks:
+ **Policies** – [Editing an existing customer-managed or inline policy to remove permissions](access_policies_manage-edit.md)
+ **Policies** – [Converting an inline policy to a managed policy and then deleting it](access_policies-convert-inline-to-managed.md)
+ **Policies** – [Adding an explicit deny to an existing policy](reference_policies_evaluation-logic_AccessPolicyLanguage_Interplay.md)
+ **Policies** – [Detaching a managed policy from an identity (user, group, or role)](access_policies_manage-attach-detach.md#detach-managed-policy-console)
+ **Entities** – [Set a permissions boundary to control the maximum permissions that an entity (user or role) can have](access_policies_manage-attach-detach.md)
+ **Groups** – [Removing users from a group](id_groups_manage_add-remove-users.md)
## Using information to refine permissions for an organizational unit
You can use last accessed information to refine the permissions for an organizational unit (OU) in AWS Organizations.
For example, John Stiles is an AWS Organizations administrator. He is responsible for ensuring that people in company AWS accounts do not have excess permissions. As part of a periodic security audit, he reviews the permissions of his organization. His `Development` OU contains accounts that are often used to test new AWS services. John decides to periodically review the report for services that have not been accessed in more than 180 days. He then removes permissions for the OU members to access those services.
John signs into the IAM console using his management account credentials. In the IAM console, he locates the AWS Organizations data for the `Development` OU. He reviews the **Service access report** table and sees two AWS services that have not been accessed in more than his preferred period of 180 days. He remembers adding permissions for the development teams to access Amazon Lex and AWS Database Migration Service. John contacts the development teams and confirms that they no longer have a business need to test these services.
John is now ready to act on the last accessed information. He chooses **Edit in AWS Organizations** and is reminded that the SCP is attached to multiple entities. He chooses **Continue**. In AWS Organizations, he reviews the targets to learn to which AWS Organizations entities that the SCP is attached. All of entities are within the `Development` OU.
John decides to deny access to the Amazon Lex and AWS Database Migration Service actions in the `NewServiceTest` SCP. This action removes the unnecessary access to the services.
# IAM action last accessed information services and actions
The following table lists the AWS services for which [IAM action last accessed information](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_last-accessed.html) is displayed. For a list of actions in each service, see [Actions, resources, and condition keys for AWS services](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) in the Service Authorization Reference.
AWS provides action last accessed information in JSON format to streamline the automation of policy management workflows. With the service reference information, you can access action last accessed information across AWS services from machine-readable files. For more information, see [Simplified AWS service information for programmatic access](https://docs.aws.amazon.com/service-authorization/latest/reference/service-reference.html) in the Service Authorization Reference.
| **Service** | **Service prefix** |
| --- | --- |
| [AWS Identity and Access Management and Access Analyzer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamaccessanalyzer.html) | access-analyzer |
| [AWS Account Management](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsaccountmanagement.html) | account |
| [AWS Certificate Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscertificatemanager.html) | acm |
| [Amazon Managed Workflows for Apache Airflow](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedworkflowsforapacheairflow.html) | airflow |
| [AWS Amplify](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplify.html) | amplify |
| [AWS Amplify UI Builder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsamplifyuibuilder.html) | amplifyuibuilder |
| [Amazon AppIntegrations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappintegrations.html) | app-integrations |
| [AWS AppConfig](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappconfig.html) | appconfig |
| [Amazon AppFlow](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappflow.html) | appflow |
| [AWS Application Cost Profiler](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationcostprofilerservice.html) | application-cost-profiler |
| [Amazon CloudWatch Application Insights](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchapplicationinsights.html) | applicationinsights |
| [AWS App Mesh](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappmesh.html) | appmesh |
| [Amazon WorkSpaces Applications](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonappstream2.0.html) | appstream |
| [AWS AppSync](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsappsync.html) | appsync |
| [Amazon Managed Service for Prometheus](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedserviceforprometheus.html) | aps |
| [Amazon Athena](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html) | athena |
| [AWS Audit Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsauditmanager.html) | auditmanager |
| [AWS Auto Scaling](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsautoscaling.html) | autoscaling |
| [AWS Marketplace](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmarketplace.html) | aws-marketplace |
| [AWS Backup](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbackup.html) | backup |
| [AWS Batch](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbatch.html) | batch |
| [Amazon Braket](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbraket.html) | braket |
| [AWS Budgets](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsbudgetservice.html) | budgets |
| [AWS Cloud9](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloud9.html) | cloud9 |
| [AWS CloudFormation](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudformation.html) | cloudformation |
| [Amazon CloudFront](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudfront.html) | cloudfront |
| [AWS CloudHSM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudhsm.html) | cloudhsm |
| [Amazon CloudSearch](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudsearch.html) | cloudsearch |
| [AWS CloudTrail](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudtrail.html) | cloudtrail |
| [Amazon CloudWatch](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html) | cloudwatch |
| [AWS CodeArtifact](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodeartifact.html) | codeartifact |
| [AWS CodeDeploy](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodedeploy.html) | codedeploy |
| [Amazon CodeGuru Profiler](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodeguruprofiler.html) | codeguru-profiler |
| [Amazon CodeGuru Reviewer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncodegurureviewer.html) | codeguru-reviewer |
| [AWS CodePipeline](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodepipeline.html) | codepipeline |
| [AWS CodeStar](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestar.html) | codestar |
| [AWS CodeStar Notifications](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscodestarnotifications.html) | codestar-notifications |
| [Amazon Cognito Identity](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitoidentity.html) | cognito-identity |
| [Amazon Cognito user pools](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitouserpools.html) | cognito-idp |
| [Amazon Cognito Sync](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitosync.html) | cognito-sync |
| [Amazon Comprehend Medical](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncomprehendmedical.html) | comprehendmedical |
| [AWS Compute Optimizer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscomputeoptimizer.html) | compute-optimizer |
| [AWS Config](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsconfig.html) | config |
| [Amazon Connect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnect.html) | connect |
| [AWS Cost and Usage Report](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscostandusagereport.html) | cur |
| [AWS Glue DataBrew](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgluedatabrew.html) | databrew |
| [AWS Data Exchange](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdataexchange.html) | dataexchange |
| [AWS Data Pipeline](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatapipeline.html) | datapipeline |
| [DynamoDB Accelerator](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodbacceleratordax.html) | dax |
| [AWS Device Farm](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdevicefarm.html) | devicefarm |
| [Amazon DevOps Guru](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondevopsguru.html) | devops-guru |
| [AWS Direct Connect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdirectconnect.html) | directconnect |
| [Amazon Data Lifecycle Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondatalifecyclemanager.html) | dlm |
| [AWS Database Migration Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsdatabasemigrationservice.html) | dms |
| [Amazon DocumentDB Elastic Clusters](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondocumentdbelasticclusters.html) | docdb-elastic |
| [Amazon DynamoDB](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazondynamodb.html) | dynamodb |
| [Amazon Elastic Block Store](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticblockstore.html) | ebs |
| [Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html) | ec2 |
| [Amazon Elastic Container Registry](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistry.html) | ecr |
| [Amazon Elastic Container Registry Public](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerregistrypublic.html) | ecr-public |
| [Amazon Elastic Container Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerservice.html) | ecs |
| [Amazon Elastic Kubernetes Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastickubernetesservice.html) | eks |
| [Amazon ElastiCache](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticache.html) | elasticache |
| [AWS Elastic Beanstalk](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselasticbeanstalk.html) | elasticbeanstalk |
| [Amazon Elastic File System](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticfilesystem.html) | elasticfilesystem |
| [Elastic Load Balancing](https://docs.aws.amazon.com/service-authorization/latest/reference/list_elasticloadbalancing.html) | elasticloadbalancing |
| [Amazon Elastic Transcoder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelastictranscoder.html) | elastictranscoder |
| [Amazon EMR on EKS (EMR Containers)](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemroneksemrcontainers.html) | emr-containers |
| [Amazon EMR Serverless](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonemrserverless.html) | emr-serverless |
| [Amazon OpenSearch Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonopensearchservice.html) | es |
| [Amazon EventBridge](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridge.html) | events |
| [Amazon CloudWatch Evidently](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchevidently.html) | evidently |
| [Amazon FinSpace](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfinspace.html) | finspace |
| [Amazon Data Firehose](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisfirehose.html) | firehose |
| [AWS Fault Injection Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfaultinjectionsimulator.html) | fis |
| [AWS Firewall Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsfirewallmanager.html) | fms |
| [Amazon Fraud Detector](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfrauddetector) | frauddetector |
| [Amazon FSx](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfsx) | fsx |
| [Amazon GameLift Servers](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazongamelift) | gamelift |
| [Amazon Location Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlocation.html) | geo |
| [Amazon Glacier](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3glacier.html) | glacier |
| [Amazon Managed Grafana](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedgrafana.html) | grafana |
| [AWS IoT Greengrass](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotgreengrass.html) | greengrass |
| [AWS Ground Station](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsgroundstation.html) | groundstation |
| [Amazon GuardDuty](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonguardduty.html) | guardduty |
| [AWS HealthLake](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhealthlake.html) | healthlake |
| [Amazon Honeycode](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonhoneycode.html) | honeycode |
| [AWS Identity and Access Management](https://docs.aws.amazon.com/service-authorization/latest/reference/list_identityandaccessmanagement.html) | iam |
| [AWS Identity Store](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html) | identitystore |
| [EC2 Image Builder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2imagebuilder.html) | imagebuilder |
| [Amazon Inspector Classic](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector.html) | inspector |
| [Amazon Inspector](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninspector2.html) | inspector2 |
| [AWS IoT](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html) | iot |
| [AWS IoT Analytics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotanalytics.html) | iotanalytics |
| [AWS IoT Core Device Advisor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotcoredeviceadvisor.html) | iotdeviceadvisor |
| [AWS IoT Events](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotevents.html) | iotevents |
| [AWS IoT Fleet Hub](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotfleethubfordevicemanagement.html) | iotfleethub |
| [AWS IoT SiteWise](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotsitewise.html) | iotsitewise |
| [AWS IoT TwinMaker](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiottwinmaker.html) | iottwinmaker |
| [AWS IoT Wireless](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiotwireless.html) | iotwireless |
| [Amazon Interactive Video Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninteractivevideoservice.html) | ivs |
| [Amazon Interactive Video Service Chat](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoninteractivevideoservicechat.html) | ivschat |
| [Amazon Managed Streaming for Apache Kafka](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedstreamingforapachekafka.html) | kafka |
| [Amazon Managed Streaming for Kafka Connect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedstreamingforkafkaconnect.html) | kafkaconnect |
| [Amazon Kendra](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkendra.html) | kendra |
| [Amazon Kinesis](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesis.html) | kinesis |
| [Amazon Kinesis Analytics V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalyticsv2.html) | kinesisanalytics |
| [AWS Key Management Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awskeymanagementservice.html) | kms |
| [AWS Lambda](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslambda.html) | lambda |
| [Amazon Lex](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlexv2.html) | lex |
| [AWS License Manager Linux Subscriptions Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awslicensemanagerlinuxsubscriptionsmanager.html) | license-manager-linux-subscriptions |
| [Amazon Lightsail](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlightsail.html) | lightsail |
| [Amazon CloudWatch Logs](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchlogs.html) | logs |
| [Amazon Lookout for Equipment](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforequipment.html) | lookoutequipment |
| [Amazon Lookout for Metrics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutformetrics.html) | lookoutmetrics |
| [Amazon Lookout for Vision](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonlookoutforvision.html) | lookoutvision |
| [AWS Mainframe Modernization](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmainframemodernizationservice.html) | m2 |
| [Amazon Managed Blockchain](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmanagedblockchain.html) | managedblockchain |
| [AWS Elemental MediaConnect](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediaconnect.html) | mediaconnect |
| [AWS Elemental MediaConvert](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediaconvert.html) | mediaconvert |
| [AWS Elemental MediaLive](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmedialive.html) | medialive |
| [AWS Elemental MediaStore](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediastore.html) | mediastore |
| [AWS Elemental MediaTailor](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awselementalmediatailor.html) | mediatailor |
| [Amazon MemoryDB](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmemorydb.html) | memorydb |
| [AWS Application Migration Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsapplicationmigrationservice.html) | mgn |
| [AWS Migration Hub](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhub.html) | mgh |
| [AWS Migration Hub Strategy Recommendations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhubstrategyrecommendations.html) | migrationhub-strategy |
| [Amazon Pinpoint](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpoint.html) | mobiletargeting |
| [Amazon MQ](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmq.html) | mq |
| [AWS Network Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsnetworkmanager.html) | networkmanager |
| [Amazon Nimble Studio](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonnimblestudio.html) | nimble |
| [AWS HealthOmics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awshealthomics.html) | omics |
| [AWS OpsWorks](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopsworks.html) | opsworks |
| [AWS OpsWorks CM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsopsworksconfigurationmanagement) | opsworks-cm |
| [AWS Outposts](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsoutposts.html) | outposts |
| [AWS Organizations](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsorganizations.html) | organizations |
| [AWS Panorama](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awspanorama.html) | panorama |
| [AWS Performance Insights](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsperformanceinsights.html) | pi |
| [Amazon EventBridge Pipes](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgepipes.html) | pipes |
| [Amazon Polly](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpolly.html) | polly |
| [Amazon Connect Customer Profiles](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectcustomerprofiles.html) | profile |
| [Amazon QLDB](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonqldb.html) | qldb |
| [AWS Resource Access Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceaccessmanager.html) | ram |
| [AWS Recycle Bin](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrecyclebin.html) | rbin |
| [Amazon Relational Database Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html) | rds |
| [Amazon Redshift](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html) | redshift |
| [Amazon Redshift Data API](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftdataapi.html) | redshift-data |
| [AWS Migration Hub Refactor Spaces](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsmigrationhubrefactorspaces.html) | refactor-spaces |
| [Amazon Rekognition](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrekognition.html) | rekognition |
| [AWS Resilience Hub](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresiliencehub.html) | resiliencehub |
| [AWS Resource Explorer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceexplorer.html) | resource-explorer-2 |
| [AWS Resource Groups](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourcegroups.html) | resource-groups |
| [AWS RoboMaker](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsrobomaker.html) | robomaker |
| [AWS Identity and Access Management Roles Anywhere](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentityandaccessmanagementrolesanywhere.html) | rolesanywhere |
| [Amazon Route 53](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53.html) | route53 |
| [Amazon Route 53 Recovery Controls](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoverycontrols.html) | route53-recovery-control-config |
| [Amazon Route 53 Recovery Readiness](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53recoveryreadiness.html) | route53-recovery-readiness |
| [Amazon Route 53 Resolver](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonroute53resolver.html) | route53resolver |
| [AWS CloudWatch RUM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudwatchrum.html) | rum |
| [Amazon Simple Storage Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html) | s3 |
| [Amazon S3 on Outposts](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3onoutposts.html) | s3-outposts |
| [Amazon SageMaker AI geospatial capabilities](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemakergeospatialcapabilities.html) | sagemaker-geospatial |
| [Savings Plans](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssavingsplans.html) | savingsplans |
| [Amazon EventBridge Schemas](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridgeschemas.html) | schemas |
| [Amazon SimpleDB](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpledb.html) | sdb |
| [AWS Secrets Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecretsmanager.html) | secretsmanager |
| [AWS Security Hub CSPM](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecurityhub.html) | securityhub |
| [Amazon Security Lake](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsecuritylake.html) | securitylake |
| [AWS Serverless Application Repository](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsserverlessapplicationrepository.html) | serverlessrepo |
| [AWS Service Catalog](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservicecatalog.html) | servicecatalog |
| [AWS Cloud Map](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awscloudmap.html) | servicediscovery |
| [Service Quotas](https://docs.aws.amazon.com/service-authorization/latest/reference/list_servicequotas.html) | servicequotas |
| [Amazon Simple Email Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonses.html) | ses |
| [AWS Shield](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsshield.html) | shield |
| [AWS Signer](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssigner.html) | signer |
| [AWS SimSpace Weaver](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssimspaceweaver.html) | simspaceweaver |
| [AWS Server Migration Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsservermigrationservice.html) | sms |
| [Amazon Pinpoint SMS and Voice Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonpinpointsmsandvoiceservice.html) | sms-voice |
| [AWS Snowball Edge](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssnowball.html) | snowball |
| [Amazon Simple Queue Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsqs.html) | sqs |
| [AWS Systems Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html) | ssm |
| [AWS Systems Manager Incident Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerincidentmanager.html) | ssm-incidents |
| [AWS Systems Manager for SAP](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanagerforsap.html) | ssm-sap |
| [AWS Step Functions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsstepfunctions.html) | states |
| [AWS Security Token Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssecuritytokenservice.html) | sts |
| [Amazon Simple Workflow Service](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsimpleworkflowservice.html) | swf |
| [Amazon CloudWatch Synthetics](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatchsynthetics.html) | synthetics |
| [AWS Resource Groups Tagging API](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonresourcegrouptaggingapi.html) | tag |
| [Amazon Textract](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontextract.html) | textract |
| [Amazon Timestream](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontimestream.html) | timestream |
| [AWS Telco Network Builder](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstelconetworkbuilder.html) | tnb |
| [Amazon Transcribe](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranscribe.html) | transcribe |
| [AWS Transfer Family](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awstransferfamily.html) | transfer |
| [Amazon Translate](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazontranslate.html) | translate |
| [Amazon Connect Voice ID](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectvoiceid.html) | voiceid |
| [Amazon VPC Lattice](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonvpclattice.html) | vpc-lattice |
| [AWS WAFV2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswafv2.html) | wafv2 |
| [AWS Well-Architected Tool](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awswell-architectedtool.html) | wellarchitected |
| [Amazon Connect Wisdom](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonconnectwisdom.html) | wisdom |
| [Amazon WorkLink](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworklink.html) | worklink |
| [Amazon WorkSpaces](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonworkspaces.html) | workspaces |
| [AWS X-Ray](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsx-ray.html) | xray |
## Actions for action last accessed information
The following table lists the actions for which action last accessed information is available.
**Important**
The `iam:UpdateAccountName` action will be deprecated on April 22, 2026. After April 22, 2026, only the `[account:PutAccountName](https://docs.aws.amazon.com/accounts/latest/reference/API_PutAccountName.html)` permission will control account name update access. We strongly recommend that you update any [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) that control account name updates to use the `account:PutAccountName` permission.
| **Service prefix** | **Actions** |
| --- | --- |
| access-analyzer | access-analyzer:ApplyArchiveRule access-analyzer:CancelPolicyGeneration access-analyzer:CheckAccessNotGranted access-analyzer:CheckNoNewAccess access-analyzer:CheckNoPublicAccess access-analyzer:CreateAccessPreview access-analyzer:CreateAnalyzer access-analyzer:CreateArchiveRule access-analyzer:DeleteAnalyzer access-analyzer:DeleteArchiveRule access-analyzer:GenerateFindingRecommendation access-analyzer:GetAccessPreview access-analyzer:GetAnalyzedResource access-analyzer:GetAnalyzer access-analyzer:GetArchiveRule access-analyzer:GetFinding access-analyzer:GetFindingRecommendation access-analyzer:GetFindingsStatistics access-analyzer:GetGeneratedPolicy access-analyzer:ListAccessPreviewFindings access-analyzer:ListAccessPreviews access-analyzer:ListAnalyzedResources access-analyzer:ListAnalyzers access-analyzer:ListArchiveRules access-analyzer:ListFindings access-analyzer:ListPolicyGenerations access-analyzer:StartPolicyGeneration access-analyzer:StartResourceScan access-analyzer:UpdateAnalyzer access-analyzer:UpdateArchiveRule access-analyzer:UpdateFindings access-analyzer:ValidatePolicy |
| account | account:AcceptPrimaryEmailUpdate account:DeleteAlternateContact account:DisableRegion account:EnableRegion account:GetAccountInformation account:GetAlternateContact account:GetContactInformation account:GetGovCloudAccountInformation account:GetPrimaryEmail account:GetRegionOptStatus account:ListRegions account:PutAccountName account:PutAlternateContact account:PutContactInformation account:StartPrimaryEmailUpdate |
| acm | acm:DeleteCertificate acm:DescribeCertificate acm:ExportCertificate acm:GetAccountConfiguration acm:GetCertificate acm:ImportCertificate acm:ListCertificates acm:PutAccountConfiguration acm:RenewCertificate acm:RequestCertificate acm:ResendValidationEmail acm:UpdateCertificateOptions |
| airflow | airflow:CreateCliToken airflow:CreateEnvironment airflow:CreateWebLoginToken airflow:DeleteEnvironment airflow:GetEnvironment airflow:ListEnvironments airflow:PublishMetrics airflow:UpdateEnvironment |
| amplify | amplify:CreateApp amplify:CreateBackendEnvironment amplify:CreateBranch amplify:CreateDeployment amplify:CreateDomainAssociation amplify:CreateWebHook amplify:DeleteApp amplify:DeleteBackendEnvironment amplify:DeleteBranch amplify:DeleteDomainAssociation amplify:DeleteJob amplify:DeleteWebHook amplify:GenerateAccessLogs amplify:GetApp amplify:GetArtifactUrl amplify:GetBackendEnvironment amplify:GetBranch amplify:GetDomainAssociation amplify:GetJob amplify:GetWebHook amplify:ListApps amplify:ListArtifacts amplify:ListBackendEnvironments amplify:ListBranches amplify:ListDomainAssociations amplify:ListJobs amplify:ListWebHooks amplify:StartDeployment amplify:StartJob amplify:StopJob amplify:UpdateApp amplify:UpdateBranch amplify:UpdateDomainAssociation amplify:UpdateWebHook |
| amplifyuibuilder | amplifyuibuilder:CreateComponent amplifyuibuilder:CreateForm amplifyuibuilder:CreateTheme amplifyuibuilder:DeleteComponent amplifyuibuilder:DeleteForm amplifyuibuilder:DeleteTheme amplifyuibuilder:ExportComponents amplifyuibuilder:ExportThemes amplifyuibuilder:GetCodegenJob amplifyuibuilder:ListCodegenJobs amplifyuibuilder:ListComponents amplifyuibuilder:ListForms amplifyuibuilder:ListThemes amplifyuibuilder:ResetMetadataFlag amplifyuibuilder:StartCodegenJob amplifyuibuilder:UpdateComponent amplifyuibuilder:UpdateForm amplifyuibuilder:UpdateTheme |
| app-integrations | app-integrations:CreateApplication app-integrations:CreateDataIntegration app-integrations:CreateDataIntegrationAssociation app-integrations:CreateEventIntegration app-integrations:DeleteApplication app-integrations:DeleteDataIntegration app-integrations:DeleteEventIntegration app-integrations:GetApplication app-integrations:GetDataIntegration app-integrations:GetEventIntegration app-integrations:ListApplicationAssociations app-integrations:ListApplications app-integrations:ListDataIntegrationAssociations app-integrations:ListDataIntegrations app-integrations:ListEventIntegrationAssociations app-integrations:ListEventIntegrations app-integrations:UpdateApplication app-integrations:UpdateDataIntegration app-integrations:UpdateDataIntegrationAssociation app-integrations:UpdateEventIntegration |
| appconfig | appconfig:CreateApplication appconfig:CreateConfigurationProfile appconfig:CreateDeploymentStrategy appconfig:CreateEnvironment appconfig:CreateExtension appconfig:CreateExtensionAssociation appconfig:CreateHostedConfigurationVersion appconfig:DeleteApplication appconfig:DeleteConfigurationProfile appconfig:DeleteDeploymentStrategy appconfig:DeleteEnvironment appconfig:DeleteExtension appconfig:DeleteExtensionAssociation appconfig:DeleteHostedConfigurationVersion appconfig:GetAccountSettings appconfig:GetApplication appconfig:GetConfiguration appconfig:GetConfigurationProfile appconfig:GetDeployment appconfig:GetDeploymentStrategy appconfig:GetEnvironment appconfig:GetExtension appconfig:GetExtensionAssociation appconfig:GetHostedConfigurationVersion appconfig:ListApplications appconfig:ListConfigurationProfiles appconfig:ListDeploymentStrategies appconfig:ListDeployments appconfig:ListEnvironments appconfig:ListExtensionAssociations appconfig:ListExtensions appconfig:ListHostedConfigurationVersions appconfig:StartDeployment appconfig:StopDeployment appconfig:UpdateAccountSettings appconfig:UpdateApplication appconfig:UpdateConfigurationProfile appconfig:UpdateDeploymentStrategy appconfig:UpdateEnvironment appconfig:UpdateExtension appconfig:UpdateExtensionAssociation appconfig:ValidateConfiguration |
| appflow | appflow:CancelFlowExecutions appflow:CreateConnectorProfile appflow:CreateFlow appflow:DeleteConnectorProfile appflow:DeleteFlow appflow:DescribeConnector appflow:DescribeConnectorEntity appflow:DescribeConnectorProfiles appflow:DescribeConnectors appflow:DescribeFlow appflow:DescribeFlowExecutionRecords appflow:ListConnectorEntities appflow:ListConnectors appflow:ListFlows appflow:RegisterConnector appflow:ResetConnectorMetadataCache appflow:StartFlow appflow:StopFlow appflow:UnRegisterConnector appflow:UpdateConnectorProfile appflow:UpdateConnectorRegistration appflow:UpdateFlow |
| applicationinsights | applicationinsights:AddWorkload applicationinsights:CreateApplication applicationinsights:CreateComponent applicationinsights:CreateLogPattern applicationinsights:DeleteApplication applicationinsights:DeleteComponent applicationinsights:DeleteLogPattern applicationinsights:DescribeApplication applicationinsights:DescribeComponent applicationinsights:DescribeComponentConfiguration applicationinsights:DescribeComponentConfigurationRecommendation applicationinsights:DescribeLogPattern applicationinsights:DescribeObservation applicationinsights:DescribeProblem applicationinsights:DescribeProblemObservations applicationinsights:DescribeWorkload applicationinsights:ListApplications applicationinsights:ListComponents applicationinsights:ListConfigurationHistory applicationinsights:ListLogPatternSets applicationinsights:ListLogPatterns applicationinsights:ListProblems applicationinsights:ListWorkloads applicationinsights:RemoveWorkload applicationinsights:UpdateApplication applicationinsights:UpdateComponent applicationinsights:UpdateComponentConfiguration applicationinsights:UpdateLogPattern applicationinsights:UpdateWorkload |
| appmesh | appmesh:CreateGatewayRoute appmesh:CreateMesh appmesh:CreateRoute appmesh:CreateVirtualGateway appmesh:CreateVirtualNode appmesh:CreateVirtualRouter appmesh:CreateVirtualService appmesh:DeleteGatewayRoute appmesh:DeleteMesh appmesh:DeleteRoute appmesh:DeleteVirtualGateway appmesh:DeleteVirtualNode appmesh:DeleteVirtualRouter appmesh:DeleteVirtualService appmesh:DescribeGatewayRoute appmesh:DescribeMesh appmesh:DescribeRoute appmesh:DescribeVirtualGateway appmesh:DescribeVirtualNode appmesh:DescribeVirtualRouter appmesh:DescribeVirtualService appmesh:ListGatewayRoutes appmesh:ListMeshes appmesh:ListRoutes appmesh:ListVirtualGateways appmesh:ListVirtualNodes appmesh:ListVirtualRouters appmesh:ListVirtualServices appmesh:StreamAggregatedResources appmesh:UpdateGatewayRoute appmesh:UpdateMesh appmesh:UpdateRoute appmesh:UpdateVirtualGateway appmesh:UpdateVirtualNode appmesh:UpdateVirtualRouter appmesh:UpdateVirtualService |
| appstream | appstream:AssociateAppBlockBuilderAppBlock appstream:AssociateApplicationFleet appstream:AssociateApplicationToEntitlement appstream:AssociateFleet appstream:AssociateSoftwareToImageBuilder appstream:BatchAssociateUserStack appstream:BatchDisassociateUserStack appstream:CopyImage appstream:CreateAppBlock appstream:CreateAppBlockBuilder appstream:CreateAppBlockBuilderStreamingURL appstream:CreateApplication appstream:CreateDirectoryConfig appstream:CreateEntitlement appstream:CreateFleet appstream:CreateImageBuilder appstream:CreateImageBuilderStreamingURL appstream:CreateStack appstream:CreateStreamingURL appstream:CreateThemeForStack appstream:CreateUpdatedImage appstream:CreateUsageReportSubscription appstream:CreateUser appstream:DeleteAppBlock appstream:DeleteAppBlockBuilder appstream:DeleteApplication appstream:DeleteDirectoryConfig appstream:DeleteEntitlement appstream:DeleteFleet appstream:DeleteImage appstream:DeleteImageBuilder appstream:DeleteImagePermissions appstream:DeleteStack appstream:DeleteThemeForStack appstream:DeleteUsageReportSubscription appstream:DeleteUser appstream:DescribeAppBlockBuilderAppBlockAssociations appstream:DescribeAppBlockBuilders appstream:DescribeAppBlocks appstream:DescribeAppLicenseUsage appstream:DescribeApplicationFleetAssociations appstream:DescribeApplications appstream:DescribeDirectoryConfigs appstream:DescribeEntitlements appstream:DescribeFleets appstream:DescribeImageBuilders appstream:DescribeImagePermissions appstream:DescribeImages appstream:DescribeSessions appstream:DescribeStacks appstream:DescribeThemeForStack appstream:DescribeUsageReportSubscriptions appstream:DescribeUserStackAssociations appstream:DescribeUsers appstream:DisableUser appstream:DisassociateAppBlockBuilderAppBlock appstream:DisassociateApplicationFleet appstream:DisassociateApplicationFromEntitlement appstream:DisassociateFleet appstream:DisassociateSoftwareFromImageBuilder appstream:EnableUser appstream:ExpireSession appstream:GetExportImageTask appstream:ListAssociatedFleets appstream:ListAssociatedStacks appstream:ListEntitledApplications appstream:ListExportImageTasks appstream:StartAppBlockBuilder appstream:StartFleet appstream:StartImageBuilder appstream:StartSoftwareDeploymentToImageBuilder appstream:StopAppBlockBuilder appstream:StopFleet appstream:StopImageBuilder appstream:UpdateAppBlockBuilder appstream:UpdateApplication appstream:UpdateDirectoryConfig appstream:UpdateEntitlement appstream:UpdateFleet appstream:UpdateImagePermissions appstream:UpdateStack appstream:UpdateThemeForStack |
| appsync | appsync:AssociateApi appsync:AssociateMergedGraphqlApi appsync:AssociateSourceGraphqlApi appsync:AssociateWebACL appsync:CreateApi appsync:CreateApiCache appsync:CreateApiKey appsync:CreateChannelNamespace appsync:CreateDataSource appsync:CreateDomainName appsync:CreateFunction appsync:CreateGraphqlApi appsync:CreateResolver appsync:CreateType appsync:DeleteApi appsync:DeleteApiCache appsync:DeleteApiKey appsync:DeleteChannelNamespace appsync:DeleteDataSource appsync:DeleteDomainName appsync:DeleteFunction appsync:DeleteGraphqlApi appsync:DeleteResolver appsync:DeleteType appsync:DisassociateApi appsync:DisassociateMergedGraphqlApi appsync:DisassociateSourceGraphqlApi appsync:DisassociateWebACL appsync:EvaluateCode appsync:EvaluateMappingTemplate appsync:FlushApiCache appsync:GetApi appsync:GetApiAssociation appsync:GetApiCache appsync:GetChannelNamespace appsync:GetDataSource appsync:GetDataSourceIntrospection appsync:GetDomainName appsync:GetFunction appsync:GetGraphqlApi appsync:GetGraphqlApiEnvironmentVariables appsync:GetIntrospectionSchema appsync:GetResolver appsync:GetSchemaCreationStatus appsync:GetSourceApiAssociation appsync:GetType appsync:GetWebACLForResource appsync:ListApiKeys appsync:ListApis appsync:ListChannelNamespaces appsync:ListDataSources appsync:ListDomainNames appsync:ListFunctions appsync:ListGraphqlApis appsync:ListResolvers appsync:ListResolversByFunction appsync:ListResourcesForWebACL appsync:ListSourceApiAssociations appsync:ListTypes appsync:ListTypesByAssociation appsync:PutGraphqlApiEnvironmentVariables appsync:StartDataSourceIntrospection appsync:StartSchemaCreation appsync:StartSchemaMerge appsync:UpdateApi appsync:UpdateApiCache appsync:UpdateApiKey appsync:UpdateChannelNamespace appsync:UpdateDataSource appsync:UpdateDomainName appsync:UpdateFunction appsync:UpdateGraphqlApi appsync:UpdateResolver appsync:UpdateSourceApiAssociation appsync:UpdateType |
| aps | aps:CreateAlertManagerDefinition aps:CreateAnomalyDetector aps:CreateLoggingConfiguration aps:CreateQueryLoggingConfiguration aps:CreateRuleGroupsNamespace aps:CreateWorkspace aps:DeleteAlertManagerDefinition aps:DeleteAnomalyDetector aps:DeleteLoggingConfiguration aps:DeleteQueryLoggingConfiguration aps:DeleteResourcePolicy aps:DeleteRuleGroupsNamespace aps:DeleteScraper aps:DeleteScraperLoggingConfiguration aps:DeleteWorkspace aps:DescribeAlertManagerDefinition aps:DescribeAnomalyDetector aps:DescribeLoggingConfiguration aps:DescribeQueryLoggingConfiguration aps:DescribeResourcePolicy aps:DescribeRuleGroupsNamespace aps:DescribeScraper aps:DescribeScraperLoggingConfiguration aps:DescribeWorkspace aps:DescribeWorkspaceConfiguration aps:GetDefaultScraperConfiguration aps:ListAnomalyDetectors aps:ListRuleGroupsNamespaces aps:ListScrapers aps:ListWorkspaces aps:PutAlertManagerDefinition aps:PutAnomalyDetector aps:PutResourcePolicy aps:PutRuleGroupsNamespace aps:UpdateLoggingConfiguration aps:UpdateQueryLoggingConfiguration aps:UpdateScraper aps:UpdateScraperLoggingConfiguration aps:UpdateWorkspaceAlias aps:UpdateWorkspaceConfiguration |
| athena | athena:BatchGetNamedQuery athena:BatchGetPreparedStatement athena:BatchGetQueryExecution athena:CancelCapacityReservation athena:CreateCapacityReservation athena:CreateDataCatalog athena:CreateNamedQuery athena:CreateNotebook athena:CreatePreparedStatement athena:CreatePresignedNotebookUrl athena:CreateWorkGroup athena:DeleteCapacityReservation athena:DeleteDataCatalog athena:DeleteNamedQuery athena:DeleteNotebook athena:DeletePreparedStatement athena:DeleteWorkGroup athena:ExportNotebook athena:GetCalculationExecution athena:GetCalculationExecutionCode athena:GetCalculationExecutionStatus athena:GetCapacityAssignmentConfiguration athena:GetCapacityReservation athena:GetDataCatalog athena:GetDatabase athena:GetNamedQuery athena:GetNotebookMetadata athena:GetPreparedStatement athena:GetQueryExecution athena:GetQueryResults athena:GetQueryResultsStream athena:GetQueryRuntimeStatistics athena:GetResourceDashboard athena:GetSession athena:GetSessionEndpoint athena:GetSessionStatus athena:GetTableMetadata athena:GetWorkGroup athena:ImportNotebook athena:ListApplicationDPUSizes athena:ListCalculationExecutions athena:ListCapacityReservations athena:ListDataCatalogs athena:ListDatabases athena:ListEngineVersions athena:ListExecutors athena:ListNamedQueries athena:ListNotebookMetadata athena:ListNotebookSessions athena:ListPreparedStatements athena:ListQueryExecutions athena:ListSessions athena:ListTableMetadata athena:ListWorkGroups athena:PutCapacityAssignmentConfiguration athena:StartCalculationExecution athena:StartQueryExecution athena:StartSession athena:StopCalculationExecution athena:StopQueryExecution athena:TerminateSession athena:UpdateCapacityReservation athena:UpdateDataCatalog athena:UpdateNamedQuery athena:UpdateNotebook athena:UpdateNotebookMetadata athena:UpdatePreparedStatement athena:UpdateWorkGroup |
| auditmanager | auditmanager:AssociateAssessmentReportEvidenceFolder auditmanager:BatchAssociateAssessmentReportEvidence auditmanager:BatchCreateDelegationByAssessment auditmanager:BatchDeleteDelegationByAssessment auditmanager:BatchDisassociateAssessmentReportEvidence auditmanager:BatchImportEvidenceToAssessmentControl auditmanager:CreateAssessment auditmanager:CreateAssessmentFramework auditmanager:CreateAssessmentReport auditmanager:CreateControl auditmanager:DeleteAssessment auditmanager:DeleteAssessmentFramework auditmanager:DeleteAssessmentFrameworkShare auditmanager:DeleteAssessmentReport auditmanager:DeleteControl auditmanager:DeregisterAccount auditmanager:DeregisterOrganizationAdminAccount auditmanager:DisassociateAssessmentReportEvidenceFolder auditmanager:GetAccountStatus auditmanager:GetAssessment auditmanager:GetAssessmentFramework auditmanager:GetAssessmentReportUrl auditmanager:GetChangeLogs auditmanager:GetControl auditmanager:GetDelegations auditmanager:GetEvidence auditmanager:GetEvidenceByEvidenceFolder auditmanager:GetEvidenceFileUploadUrl auditmanager:GetEvidenceFolder auditmanager:GetEvidenceFoldersByAssessment auditmanager:GetEvidenceFoldersByAssessmentControl auditmanager:GetInsights auditmanager:GetInsightsByAssessment auditmanager:GetOrganizationAdminAccount auditmanager:GetServicesInScope auditmanager:GetSettings auditmanager:ListAssessmentControlInsightsByControlDomain auditmanager:ListAssessmentFrameworkShareRequests auditmanager:ListAssessmentFrameworks auditmanager:ListAssessmentReports auditmanager:ListAssessments auditmanager:ListControlDomainInsights auditmanager:ListControlDomainInsightsByAssessment auditmanager:ListControlInsightsByControlDomain auditmanager:ListControls auditmanager:ListKeywordsForDataSource auditmanager:ListNotifications auditmanager:RegisterAccount auditmanager:RegisterOrganizationAdminAccount auditmanager:StartAssessmentFrameworkShare auditmanager:UpdateAssessment auditmanager:UpdateAssessmentControl auditmanager:UpdateAssessmentControlSetStatus auditmanager:UpdateAssessmentFramework auditmanager:UpdateAssessmentFrameworkShare auditmanager:UpdateAssessmentStatus auditmanager:UpdateControl auditmanager:UpdateSettings auditmanager:ValidateAssessmentReportIntegrity |
| autoscaling | autoscaling:AttachInstances autoscaling:AttachLoadBalancerTargetGroups autoscaling:AttachLoadBalancers autoscaling:AttachTrafficSources autoscaling:BatchDeleteScheduledAction autoscaling:BatchPutScheduledUpdateGroupAction autoscaling:CancelInstanceRefresh autoscaling:CompleteLifecycleAction autoscaling:CreateAutoScalingGroup autoscaling:CreateLaunchConfiguration autoscaling:DeleteAutoScalingGroup autoscaling:DeleteLaunchConfiguration autoscaling:DeleteLifecycleHook autoscaling:DeleteNotificationConfiguration autoscaling:DeletePolicy autoscaling:DeleteScheduledAction autoscaling:DeleteWarmPool autoscaling:DescribeAccountLimits autoscaling:DescribeAdjustmentTypes autoscaling:DescribeAutoScalingGroups autoscaling:DescribeAutoScalingInstances autoscaling:DescribeAutoScalingNotificationTypes autoscaling:DescribeInstanceRefreshes autoscaling:DescribeLaunchConfigurations autoscaling:DescribeLifecycleHookTypes autoscaling:DescribeLifecycleHooks autoscaling:DescribeLoadBalancerTargetGroups autoscaling:DescribeLoadBalancers autoscaling:DescribeMetricCollectionTypes autoscaling:DescribeNotificationConfigurations autoscaling:DescribePolicies autoscaling:DescribeScalingActivities autoscaling:DescribeScalingProcessTypes autoscaling:DescribeScheduledActions autoscaling:DescribeTerminationPolicyTypes autoscaling:DescribeTrafficSources autoscaling:DescribeWarmPool autoscaling:DetachInstances autoscaling:DetachLoadBalancerTargetGroups autoscaling:DetachLoadBalancers autoscaling:DetachTrafficSources autoscaling:DisableMetricsCollection autoscaling:EnableMetricsCollection autoscaling:EnterStandby autoscaling:ExecutePolicy autoscaling:ExitStandby autoscaling:GetPredictiveScalingForecast autoscaling:PutLifecycleHook autoscaling:PutNotificationConfiguration autoscaling:PutScalingPolicy autoscaling:PutScheduledUpdateGroupAction autoscaling:PutWarmPool autoscaling:RecordLifecycleActionHeartbeat autoscaling:ResumeProcesses autoscaling:RollbackInstanceRefresh autoscaling:SetDesiredCapacity autoscaling:SetInstanceHealth autoscaling:SetInstanceProtection autoscaling:StartInstanceRefresh autoscaling:SuspendProcesses autoscaling:TerminateInstanceInAutoScalingGroup autoscaling:UpdateAutoScalingGroup |
| aws-marketplace | aws-marketplace:GetEntitlements |
| backup | backup:CancelLegalHold backup:CreateBackupPlan backup:CreateBackupSelection backup:CreateBackupVault backup:CreateFramework backup:CreateLegalHold backup:CreateLogicallyAirGappedBackupVault backup:CreateReportPlan backup:CreateRestoreAccessBackupVault backup:CreateRestoreTestingPlan backup:CreateRestoreTestingSelection backup:CreateTieringConfiguration backup:DeleteBackupPlan backup:DeleteBackupSelection backup:DeleteBackupVault backup:DeleteBackupVaultAccessPolicy backup:DeleteBackupVaultLockConfiguration backup:DeleteBackupVaultNotifications backup:DeleteFramework backup:DeleteRecoveryPoint backup:DeleteReportPlan backup:DeleteRestoreTestingPlan backup:DeleteRestoreTestingSelection backup:DeleteTieringConfiguration backup:DescribeBackupJob backup:DescribeBackupVault backup:DescribeCopyJob backup:DescribeFramework backup:DescribeGlobalSettings backup:DescribeProtectedResource backup:DescribeRecoveryPoint backup:DescribeRegionSettings backup:DescribeReportJob backup:DescribeReportPlan backup:DescribeRestoreJob backup:DescribeScanJob backup:DisassociateRecoveryPoint backup:DisassociateRecoveryPointFromParent backup:ExportBackupPlanTemplate backup:GetBackupPlan backup:GetBackupPlanFromJSON backup:GetBackupPlanFromTemplate backup:GetBackupSelection backup:GetBackupVaultAccessPolicy backup:GetBackupVaultNotifications backup:GetLegalHold backup:GetRecoveryPointRestoreMetadata backup:GetRestoreJobMetadata backup:GetRestoreTestingInferredMetadata backup:GetRestoreTestingPlan backup:GetRestoreTestingSelection backup:GetSupportedResourceTypes backup:GetTieringConfiguration backup:ListBackupJobSummaries backup:ListBackupJobs backup:ListBackupPlanTemplates backup:ListBackupPlanVersions backup:ListBackupPlans backup:ListBackupSelections backup:ListBackupVaults backup:ListCopyJobSummaries backup:ListCopyJobs backup:ListFrameworks backup:ListIndexedRecoveryPoints backup:ListLegalHolds backup:ListProtectedResources backup:ListRecoveryPointsByBackupVault backup:ListRecoveryPointsByLegalHold backup:ListRecoveryPointsByResource backup:ListReportJobs backup:ListReportPlans backup:ListRestoreAccessBackupVaults backup:ListRestoreJobSummaries backup:ListRestoreJobs backup:ListRestoreJobsByProtectedResource backup:ListRestoreTestingPlans backup:ListRestoreTestingSelections backup:ListScanJobSummaries backup:ListScanJobs backup:ListTieringConfigurations backup:PutBackupVaultAccessPolicy backup:PutBackupVaultLockConfiguration backup:PutBackupVaultNotifications backup:PutRestoreValidationResult backup:StartBackupJob backup:StartCopyJob backup:StartReportJob backup:StartRestoreJob backup:StopBackupJob backup:UpdateBackupPlan backup:UpdateFramework backup:UpdateGlobalSettings backup:UpdateRecoveryPointLifecycle backup:UpdateRegionSettings backup:UpdateReportPlan backup:UpdateRestoreTestingPlan backup:UpdateRestoreTestingSelection backup:UpdateTieringConfiguration |
| batch | batch:CancelJob batch:CreateComputeEnvironment batch:CreateConsumableResource batch:CreateJobQueue batch:CreateSchedulingPolicy batch:CreateServiceEnvironment batch:DeleteComputeEnvironment batch:DeleteConsumableResource batch:DeleteJobQueue batch:DeleteSchedulingPolicy batch:DeleteServiceEnvironment batch:DeregisterJobDefinition batch:DescribeComputeEnvironments batch:DescribeConsumableResource batch:DescribeJobDefinitions batch:DescribeJobQueues batch:DescribeJobs batch:DescribeSchedulingPolicies batch:DescribeServiceEnvironments batch:DescribeServiceJob batch:GetJobQueueSnapshot batch:ListConsumableResources batch:ListJobs batch:ListJobsByConsumableResource batch:ListSchedulingPolicies batch:ListServiceJobs batch:RegisterJobDefinition batch:SubmitJob batch:SubmitServiceJob batch:TerminateJob batch:TerminateServiceJob batch:UpdateComputeEnvironment batch:UpdateConsumableResource batch:UpdateJobQueue batch:UpdateSchedulingPolicy batch:UpdateServiceEnvironment |
| braket | braket:CancelJob braket:CancelQuantumTask braket:CreateJob braket:CreateQuantumTask braket:CreateSpendingLimit braket:GetDevice braket:GetJob braket:GetQuantumTask braket:SearchDevices braket:SearchJobs braket:SearchQuantumTasks braket:SearchSpendingLimits |
| budgets | budgets:CreateBudgetAction budgets:DeleteBudgetAction budgets:DescribeBudgetAction budgets:DescribeBudgetActionHistories budgets:DescribeBudgetActionsForAccount budgets:DescribeBudgetActionsForBudget budgets:ExecuteBudgetAction budgets:ModifyBudget budgets:UpdateBudgetAction budgets:ViewBudget |
| cloud9 | cloud9:CreateEnvironmentEC2 cloud9:CreateEnvironmentMembership cloud9:DeleteEnvironment cloud9:DeleteEnvironmentMembership cloud9:DescribeEnvironmentMemberships cloud9:DescribeEnvironmentStatus cloud9:DescribeEnvironments cloud9:ListEnvironments cloud9:UpdateEnvironment cloud9:UpdateEnvironmentMembership |
| cloudformation | cloudformation:BatchDescribeTypeConfigurations cloudformation:CancelUpdateStack cloudformation:ContinueUpdateRollback cloudformation:CreateChangeSet cloudformation:CreateGeneratedTemplate cloudformation:CreateStack cloudformation:CreateStackInstances cloudformation:CreateStackSet cloudformation:DeactivateType cloudformation:DeleteChangeSet cloudformation:DeleteGeneratedTemplate cloudformation:DeleteStack cloudformation:DeleteStackInstances cloudformation:DeleteStackSet cloudformation:DeregisterType cloudformation:DescribeAccountLimits cloudformation:DescribeChangeSet cloudformation:DescribeChangeSetHooks cloudformation:DescribeEvents cloudformation:DescribeGeneratedTemplate cloudformation:DescribeOrganizationsAccess cloudformation:DescribePublisher cloudformation:DescribeResourceScan cloudformation:DescribeStackDriftDetectionStatus cloudformation:DescribeStackEvents cloudformation:DescribeStackInstance cloudformation:DescribeStackResource cloudformation:DescribeStackResourceDrifts cloudformation:DescribeStackResources cloudformation:DescribeStackSet cloudformation:DescribeStackSetOperation cloudformation:DescribeStacks cloudformation:DescribeType cloudformation:DescribeTypeRegistration cloudformation:DetectStackDrift cloudformation:DetectStackResourceDrift cloudformation:DetectStackSetDrift cloudformation:EstimateTemplateCost cloudformation:ExecuteChangeSet cloudformation:GetGeneratedTemplate cloudformation:GetHookResult cloudformation:GetStackPolicy cloudformation:GetTemplate cloudformation:GetTemplateSummary cloudformation:ImportStacksToStackSet cloudformation:ListChangeSets cloudformation:ListExports cloudformation:ListGeneratedTemplates cloudformation:ListHookResults cloudformation:ListImports cloudformation:ListResourceScanRelatedResources cloudformation:ListResourceScanResources cloudformation:ListResourceScans cloudformation:ListStackInstanceResourceDrifts cloudformation:ListStackInstances cloudformation:ListStackRefactors cloudformation:ListStackResources cloudformation:ListStackSetAutoDeploymentTargets cloudformation:ListStackSetOperationResults cloudformation:ListStackSetOperations cloudformation:ListStackSets cloudformation:ListTypeRegistrations cloudformation:ListTypeVersions cloudformation:ListTypes cloudformation:PublishType cloudformation:RecordHandlerProgress cloudformation:RegisterPublisher cloudformation:RegisterType cloudformation:RollbackStack cloudformation:SetStackPolicy cloudformation:SetTypeConfiguration cloudformation:SetTypeDefaultVersion cloudformation:SignalResource cloudformation:StartResourceScan cloudformation:StopStackSetOperation cloudformation:TestType cloudformation:UpdateGeneratedTemplate cloudformation:UpdateStack cloudformation:UpdateStackInstances cloudformation:UpdateStackSet cloudformation:UpdateTerminationProtection cloudformation:ValidateTemplate |
| cloudfront | cloudfront:AssociateAlias cloudfront:AssociateDistributionTenantWebACL cloudfront:AssociateDistributionWebACL cloudfront:CreateCachePolicy cloudfront:CreateCloudFrontOriginAccessIdentity cloudfront:CreateConnectionFunction cloudfront:CreateContinuousDeploymentPolicy cloudfront:CreateDistributionTenant cloudfront:CreateFieldLevelEncryptionConfig cloudfront:CreateFieldLevelEncryptionProfile cloudfront:CreateFunction cloudfront:CreateInvalidation cloudfront:CreateKeyGroup cloudfront:CreateKeyValueStore cloudfront:CreateMonitoringSubscription cloudfront:CreateOriginAccessControl cloudfront:CreateOriginRequestPolicy cloudfront:CreatePublicKey cloudfront:CreateRealtimeLogConfig cloudfront:CreateResponseHeadersPolicy cloudfront:CreateTrustStore cloudfront:DeleteAnycastIpList cloudfront:DeleteCachePolicy cloudfront:DeleteCloudFrontOriginAccessIdentity cloudfront:DeleteConnectionFunction cloudfront:DeleteConnectionGroup cloudfront:DeleteContinuousDeploymentPolicy cloudfront:DeleteDistribution cloudfront:DeleteDistributionTenant cloudfront:DeleteFieldLevelEncryptionConfig cloudfront:DeleteFieldLevelEncryptionProfile cloudfront:DeleteFunction cloudfront:DeleteKeyGroup cloudfront:DeleteKeyValueStore cloudfront:DeleteMonitoringSubscription cloudfront:DeleteOriginAccessControl cloudfront:DeleteOriginRequestPolicy cloudfront:DeletePublicKey cloudfront:DeleteRealtimeLogConfig cloudfront:DeleteResponseHeadersPolicy cloudfront:DeleteStreamingDistribution cloudfront:DeleteTrustStore cloudfront:DeleteVpcOrigin cloudfront:DescribeFunction cloudfront:DescribeKeyValueStore cloudfront:DisassociateDistributionTenantWebACL cloudfront:DisassociateDistributionWebACL cloudfront:GetAnycastIpList cloudfront:GetCachePolicy cloudfront:GetCachePolicyConfig cloudfront:GetCloudFrontOriginAccessIdentity cloudfront:GetCloudFrontOriginAccessIdentityConfig cloudfront:GetContinuousDeploymentPolicy cloudfront:GetContinuousDeploymentPolicyConfig cloudfront:GetDistributionConfig cloudfront:GetFieldLevelEncryption cloudfront:GetFieldLevelEncryptionConfig cloudfront:GetFieldLevelEncryptionProfile cloudfront:GetFieldLevelEncryptionProfileConfig cloudfront:GetFunction cloudfront:GetInvalidation cloudfront:GetInvalidationForDistributionTenant cloudfront:GetKeyGroup cloudfront:GetKeyGroupConfig cloudfront:GetMonitoringSubscription cloudfront:GetOriginAccessControl cloudfront:GetOriginAccessControlConfig cloudfront:GetOriginRequestPolicy cloudfront:GetOriginRequestPolicyConfig cloudfront:GetPublicKey cloudfront:GetPublicKeyConfig cloudfront:GetRealtimeLogConfig cloudfront:GetResponseHeadersPolicy cloudfront:GetResponseHeadersPolicyConfig cloudfront:GetStreamingDistribution cloudfront:GetStreamingDistributionConfig cloudfront:GetVpcOrigin cloudfront:ListAnycastIpLists cloudfront:ListCachePolicies cloudfront:ListCloudFrontOriginAccessIdentities cloudfront:ListConflictingAliases cloudfront:ListConnectionFunctions cloudfront:ListConnectionGroups cloudfront:ListContinuousDeploymentPolicies cloudfront:ListDistributionTenants cloudfront:ListDistributionTenantsByCustomization cloudfront:ListDistributions cloudfront:ListDistributionsByAnycastIpListId cloudfront:ListDistributionsByCachePolicyId cloudfront:ListDistributionsByConnectionMode cloudfront:ListDistributionsByKeyGroup cloudfront:ListDistributionsByOriginRequestPolicyId cloudfront:ListDistributionsByRealtimeLogConfig cloudfront:ListDistributionsByResponseHeadersPolicyId cloudfront:ListDistributionsByVpcOriginId cloudfront:ListDistributionsByWebACLId cloudfront:ListFieldLevelEncryptionConfigs cloudfront:ListFieldLevelEncryptionProfiles cloudfront:ListFunctions cloudfront:ListInvalidations cloudfront:ListInvalidationsForDistributionTenant cloudfront:ListKeyGroups cloudfront:ListKeyValueStores cloudfront:ListOriginAccessControls cloudfront:ListOriginRequestPolicies cloudfront:ListPublicKeys cloudfront:ListRealtimeLogConfigs cloudfront:ListResponseHeadersPolicies cloudfront:ListStreamingDistributions cloudfront:ListTrustStores cloudfront:PublishConnectionFunction cloudfront:PublishFunction cloudfront:TestConnectionFunction cloudfront:TestFunction cloudfront:UpdateAnycastIpList cloudfront:UpdateCachePolicy cloudfront:UpdateCloudFrontOriginAccessIdentity cloudfront:UpdateConnectionFunction cloudfront:UpdateConnectionGroup cloudfront:UpdateContinuousDeploymentPolicy cloudfront:UpdateDistribution cloudfront:UpdateDistributionTenant cloudfront:UpdateFieldLevelEncryptionConfig cloudfront:UpdateFieldLevelEncryptionProfile cloudfront:UpdateFunction cloudfront:UpdateKeyGroup cloudfront:UpdateKeyValueStore cloudfront:UpdateOriginAccessControl cloudfront:UpdateOriginRequestPolicy cloudfront:UpdatePublicKey cloudfront:UpdateRealtimeLogConfig cloudfront:UpdateResponseHeadersPolicy cloudfront:UpdateTrustStore |
| cloudhsm | cloudhsm:CreateHsm cloudhsm:DeleteBackup cloudhsm:DeleteHsm cloudhsm:DeleteResourcePolicy cloudhsm:DescribeBackups cloudhsm:DescribeClusters cloudhsm:GetResourcePolicy cloudhsm:InitializeCluster cloudhsm:ModifyBackupAttributes cloudhsm:ModifyCluster cloudhsm:PutResourcePolicy cloudhsm:RestoreBackup |
| cloudsearch | cloudsearch:BuildSuggesters cloudsearch:CreateDomain cloudsearch:DefineAnalysisScheme cloudsearch:DefineExpression cloudsearch:DefineIndexField cloudsearch:DefineSuggester cloudsearch:DeleteAnalysisScheme cloudsearch:DeleteDomain cloudsearch:DeleteExpression cloudsearch:DeleteIndexField cloudsearch:DeleteSuggester cloudsearch:DescribeAnalysisSchemes cloudsearch:DescribeAvailabilityOptions cloudsearch:DescribeDomainEndpointOptions cloudsearch:DescribeDomains cloudsearch:DescribeExpressions cloudsearch:DescribeIndexFields cloudsearch:DescribeScalingParameters cloudsearch:DescribeServiceAccessPolicies cloudsearch:DescribeSuggesters cloudsearch:IndexDocuments cloudsearch:ListDomainNames cloudsearch:UpdateAvailabilityOptions cloudsearch:UpdateDomainEndpointOptions cloudsearch:UpdateScalingParameters cloudsearch:UpdateServiceAccessPolicies |
| cloudtrail | cloudtrail:CancelQuery cloudtrail:CreateChannel cloudtrail:CreateDashboard cloudtrail:CreateEventDataStore cloudtrail:CreateTrail cloudtrail:DeleteChannel cloudtrail:DeleteDashboard cloudtrail:DeleteEventDataStore cloudtrail:DeleteResourcePolicy cloudtrail:DeleteTrail cloudtrail:DeregisterOrganizationDelegatedAdmin cloudtrail:DescribeQuery cloudtrail:DescribeTrails cloudtrail:DisableFederation cloudtrail:GenerateQuery cloudtrail:GetChannel cloudtrail:GetDashboard cloudtrail:GetEventConfiguration cloudtrail:GetEventDataStore cloudtrail:GetEventDataStoreData cloudtrail:GetEventSelectors cloudtrail:GetImport cloudtrail:GetInsightSelectors cloudtrail:GetResourcePolicy cloudtrail:GetTrail cloudtrail:GetTrailStatus cloudtrail:ListChannels cloudtrail:ListDashboards cloudtrail:ListEventDataStores cloudtrail:ListImportFailures cloudtrail:ListImports cloudtrail:ListInsightsData cloudtrail:ListPublicKeys cloudtrail:ListQueries cloudtrail:ListTrails cloudtrail:LookupEvents cloudtrail:PutEventConfiguration cloudtrail:PutEventSelectors cloudtrail:PutInsightSelectors cloudtrail:PutResourcePolicy cloudtrail:RegisterOrganizationDelegatedAdmin cloudtrail:RestoreEventDataStore cloudtrail:SearchSampleQueries cloudtrail:StartEventDataStoreIngestion cloudtrail:StartImport cloudtrail:StartLogging cloudtrail:StartQuery cloudtrail:StopEventDataStoreIngestion cloudtrail:StopImport cloudtrail:StopLogging cloudtrail:UpdateChannel cloudtrail:UpdateDashboard cloudtrail:UpdateEventDataStore cloudtrail:UpdateTrail |
| cloudwatch | cloudwatch:DeleteAlarms cloudwatch:DeleteAnomalyDetector cloudwatch:DeleteDashboards cloudwatch:DeleteInsightRules cloudwatch:DeleteMetricStream cloudwatch:DescribeAlarmHistory cloudwatch:DescribeAlarms cloudwatch:DescribeAlarmsForMetric cloudwatch:DescribeAnomalyDetectors cloudwatch:DescribeInsightRules cloudwatch:DisableAlarmActions cloudwatch:DisableInsightRules cloudwatch:EnableAlarmActions cloudwatch:EnableInsightRules cloudwatch:GetDashboard cloudwatch:GetInsightRuleReport cloudwatch:GetMetricStatistics cloudwatch:GetMetricStream cloudwatch:ListDashboards cloudwatch:ListManagedInsightRules cloudwatch:ListMetricStreams cloudwatch:PutAnomalyDetector cloudwatch:PutCompositeAlarm cloudwatch:PutDashboard cloudwatch:PutInsightRule cloudwatch:PutManagedInsightRules cloudwatch:PutMetricAlarm cloudwatch:PutMetricStream cloudwatch:SetAlarmState cloudwatch:StartMetricStreams cloudwatch:StopMetricStreams |
| codeartifact | codeartifact:AssociateExternalConnection codeartifact:CopyPackageVersions codeartifact:CreateDomain codeartifact:CreateRepository codeartifact:DeleteDomain codeartifact:DeleteDomainPermissionsPolicy codeartifact:DeletePackage codeartifact:DeletePackageVersions codeartifact:DeleteRepository codeartifact:DeleteRepositoryPermissionsPolicy codeartifact:DescribeDomain codeartifact:DescribePackage codeartifact:DescribePackageVersion codeartifact:DescribeRepository codeartifact:DisassociateExternalConnection codeartifact:DisposePackageVersions codeartifact:GetAssociatedPackageGroup codeartifact:GetAuthorizationToken codeartifact:GetDomainPermissionsPolicy codeartifact:GetPackageVersionAsset codeartifact:GetPackageVersionReadme codeartifact:GetRepositoryEndpoint codeartifact:GetRepositoryPermissionsPolicy codeartifact:ListDomains codeartifact:ListPackageGroups codeartifact:ListPackageVersionAssets codeartifact:ListPackageVersionDependencies codeartifact:ListPackageVersions codeartifact:ListPackages codeartifact:ListRepositories codeartifact:ListRepositoriesInDomain codeartifact:PublishPackageVersion codeartifact:PutDomainPermissionsPolicy codeartifact:PutPackageMetadata codeartifact:PutPackageOriginConfiguration codeartifact:PutRepositoryPermissionsPolicy codeartifact:ReadFromRepository codeartifact:UpdatePackageVersionsStatus codeartifact:UpdateRepository |
| codedeploy | codedeploy:BatchGetApplicationRevisions codedeploy:BatchGetApplications codedeploy:BatchGetDeploymentGroups codedeploy:BatchGetDeploymentInstances codedeploy:BatchGetDeploymentTargets codedeploy:BatchGetDeployments codedeploy:BatchGetOnPremisesInstances codedeploy:ContinueDeployment codedeploy:CreateApplication codedeploy:CreateDeployment codedeploy:CreateDeploymentConfig codedeploy:CreateDeploymentGroup codedeploy:DeleteApplication codedeploy:DeleteDeploymentConfig codedeploy:DeleteDeploymentGroup codedeploy:DeleteGitHubAccountToken codedeploy:DeleteResourcesByExternalId codedeploy:DeregisterOnPremisesInstance codedeploy:GetApplication codedeploy:GetApplicationRevision codedeploy:GetDeployment codedeploy:GetDeploymentConfig codedeploy:GetDeploymentGroup codedeploy:GetDeploymentInstance codedeploy:GetDeploymentTarget codedeploy:GetOnPremisesInstance codedeploy:ListApplicationRevisions codedeploy:ListApplications codedeploy:ListDeploymentConfigs codedeploy:ListDeploymentGroups codedeploy:ListDeploymentInstances codedeploy:ListDeploymentTargets codedeploy:ListDeployments codedeploy:ListGitHubAccountTokenNames codedeploy:ListOnPremisesInstances codedeploy:PutLifecycleEventHookExecutionStatus codedeploy:RegisterApplicationRevision codedeploy:RegisterOnPremisesInstance codedeploy:SkipWaitTimeForInstanceTermination codedeploy:StopDeployment codedeploy:UpdateApplication codedeploy:UpdateDeploymentGroup |
| codeguru-profiler | codeguru-profiler:AddNotificationChannels codeguru-profiler:BatchGetFrameMetricData codeguru-profiler:CreateProfilingGroup codeguru-profiler:DeleteProfilingGroup codeguru-profiler:DescribeProfilingGroup codeguru-profiler:GetFindingsReportAccountSummary codeguru-profiler:GetNotificationConfiguration codeguru-profiler:GetPolicy codeguru-profiler:GetProfile codeguru-profiler:GetRecommendations codeguru-profiler:ListFindingsReports codeguru-profiler:ListProfileTimes codeguru-profiler:ListProfilingGroups codeguru-profiler:PutPermission codeguru-profiler:RemoveNotificationChannel codeguru-profiler:RemovePermission codeguru-profiler:SubmitFeedback codeguru-profiler:UpdateProfilingGroup |
| codeguru-reviewer | codeguru-reviewer:AssociateRepository codeguru-reviewer:CreateCodeReview codeguru-reviewer:DescribeCodeReview codeguru-reviewer:DescribeRecommendationFeedback codeguru-reviewer:DescribeRepositoryAssociation codeguru-reviewer:DisassociateRepository codeguru-reviewer:ListCodeReviews codeguru-reviewer:ListRecommendationFeedback codeguru-reviewer:ListRecommendations codeguru-reviewer:ListRepositoryAssociations codeguru-reviewer:PutRecommendationFeedback |
| codepipeline | codepipeline:AcknowledgeJob codepipeline:AcknowledgeThirdPartyJob codepipeline:CreateCustomActionType codepipeline:CreatePipeline codepipeline:DeleteCustomActionType codepipeline:DeletePipeline codepipeline:DeleteWebhook codepipeline:DeregisterWebhookWithThirdParty codepipeline:GetActionType codepipeline:GetJobDetails codepipeline:GetPipeline codepipeline:GetPipelineExecution codepipeline:GetPipelineState codepipeline:GetThirdPartyJobDetails codepipeline:ListActionExecutions codepipeline:ListActionTypes codepipeline:ListPipelineExecutions codepipeline:ListPipelines codepipeline:ListRuleExecutions codepipeline:ListRuleTypes codepipeline:ListWebhooks codepipeline:OverrideStageCondition codepipeline:PollForJobs codepipeline:PollForThirdPartyJobs codepipeline:PutActionRevision codepipeline:PutApprovalResult codepipeline:PutJobFailureResult codepipeline:PutJobSuccessResult codepipeline:PutThirdPartyJobFailureResult codepipeline:PutThirdPartyJobSuccessResult codepipeline:PutWebhook codepipeline:RegisterWebhookWithThirdParty codepipeline:RollbackStage codepipeline:StartPipelineExecution codepipeline:StopPipelineExecution codepipeline:UpdateActionType codepipeline:UpdatePipeline |
| codestar | codestar:AssociateTeamMember codestar:CreateProject codestar:CreateUserProfile codestar:DeleteProject codestar:DeleteUserProfile codestar:DescribeProject codestar:DescribeUserProfile codestar:DisassociateTeamMember codestar:ListProjects codestar:ListResources codestar:ListTeamMembers codestar:ListUserProfiles codestar:UpdateProject codestar:UpdateTeamMember codestar:UpdateUserProfile |
| codestar-notifications | codestar-notifications:CreateNotificationRule codestar-notifications:DeleteNotificationRule codestar-notifications:DeleteTarget codestar-notifications:DescribeNotificationRule codestar-notifications:ListEventTypes codestar-notifications:ListNotificationRules codestar-notifications:ListTargets codestar-notifications:Subscribe codestar-notifications:Unsubscribe codestar-notifications:UpdateNotificationRule |
| cognito-identity | cognito-identity:CreateIdentityPool cognito-identity:DeleteIdentities cognito-identity:DeleteIdentityPool cognito-identity:DescribeIdentity cognito-identity:DescribeIdentityPool cognito-identity:GetIdentityPoolRoles cognito-identity:ListIdentities cognito-identity:ListIdentityPools cognito-identity:LookupDeveloperIdentity cognito-identity:MergeDeveloperIdentities cognito-identity:SetIdentityPoolRoles cognito-identity:UnlinkDeveloperIdentity cognito-identity:UpdateIdentityPool |
| cognito-idp | cognito-idp:AddCustomAttributes cognito-idp:AdminAddUserToGroup cognito-idp:AdminConfirmSignUp cognito-idp:AdminCreateUser cognito-idp:AdminDeleteUser cognito-idp:AdminDeleteUserAttributes cognito-idp:AdminDisableProviderForUser cognito-idp:AdminDisableUser cognito-idp:AdminEnableUser cognito-idp:AdminForgetDevice cognito-idp:AdminGetDevice cognito-idp:AdminGetUser cognito-idp:AdminInitiateAuth cognito-idp:AdminLinkProviderForUser cognito-idp:AdminListDevices cognito-idp:AdminListGroupsForUser cognito-idp:AdminListUserAuthEvents cognito-idp:AdminRemoveUserFromGroup cognito-idp:AdminResetUserPassword cognito-idp:AdminRespondToAuthChallenge cognito-idp:AdminSetUserMFAPreference cognito-idp:AdminSetUserPassword cognito-idp:AdminSetUserSettings cognito-idp:AdminUpdateAuthEventFeedback cognito-idp:AdminUpdateDeviceStatus cognito-idp:AdminUpdateUserAttributes cognito-idp:AdminUserGlobalSignOut cognito-idp:AssociateSoftwareToken cognito-idp:ChangePassword cognito-idp:ConfirmDevice cognito-idp:ConfirmForgotPassword cognito-idp:ConfirmSignUp cognito-idp:CreateGroup cognito-idp:CreateIdentityProvider cognito-idp:CreateManagedLoginBranding cognito-idp:CreateResourceServer cognito-idp:CreateTerms cognito-idp:CreateUserImportJob cognito-idp:CreateUserPool cognito-idp:CreateUserPoolClient cognito-idp:CreateUserPoolDomain cognito-idp:DeleteGroup cognito-idp:DeleteIdentityProvider cognito-idp:DeleteManagedLoginBranding cognito-idp:DeleteResourceServer cognito-idp:DeleteTerms cognito-idp:DeleteUser cognito-idp:DeleteUserAttributes cognito-idp:DeleteUserPool cognito-idp:DeleteUserPoolClient cognito-idp:DeleteUserPoolDomain cognito-idp:DescribeIdentityProvider cognito-idp:DescribeManagedLoginBranding cognito-idp:DescribeManagedLoginBrandingByClient cognito-idp:DescribeResourceServer cognito-idp:DescribeRiskConfiguration cognito-idp:DescribeTerms cognito-idp:DescribeUserImportJob cognito-idp:DescribeUserPool cognito-idp:DescribeUserPoolClient cognito-idp:DescribeUserPoolDomain cognito-idp:ForgetDevice cognito-idp:ForgotPassword cognito-idp:GetCSVHeader cognito-idp:GetDevice cognito-idp:GetGroup cognito-idp:GetIdentityProviderByIdentifier cognito-idp:GetLogDeliveryConfiguration cognito-idp:GetSigningCertificate cognito-idp:GetUICustomization cognito-idp:GetUser cognito-idp:GetUserAttributeVerificationCode cognito-idp:GetUserPoolMfaConfig cognito-idp:GlobalSignOut cognito-idp:InitiateAuth cognito-idp:ListDevices cognito-idp:ListGroups cognito-idp:ListIdentityProviders cognito-idp:ListResourceServers cognito-idp:ListTerms cognito-idp:ListUserImportJobs cognito-idp:ListUserPoolClients cognito-idp:ListUserPools cognito-idp:ListUsers cognito-idp:ListUsersInGroup cognito-idp:ResendConfirmationCode cognito-idp:RespondToAuthChallenge cognito-idp:RevokeToken cognito-idp:SetLogDeliveryConfiguration cognito-idp:SetRiskConfiguration cognito-idp:SetUICustomization cognito-idp:SetUserMFAPreference cognito-idp:SetUserPoolMfaConfig cognito-idp:SetUserSettings cognito-idp:SignUp cognito-idp:StartUserImportJob cognito-idp:StopUserImportJob cognito-idp:UpdateAuthEventFeedback cognito-idp:UpdateDeviceStatus cognito-idp:UpdateGroup cognito-idp:UpdateIdentityProvider cognito-idp:UpdateResourceServer cognito-idp:UpdateTerms cognito-idp:UpdateUserAttributes cognito-idp:UpdateUserPool cognito-idp:UpdateUserPoolClient cognito-idp:UpdateUserPoolDomain cognito-idp:VerifySoftwareToken cognito-idp:VerifyUserAttribute |
| cognito-sync | cognito-sync:BulkPublish cognito-sync:DeleteDataset cognito-sync:DescribeDataset cognito-sync:DescribeIdentityPoolUsage cognito-sync:DescribeIdentityUsage cognito-sync:GetBulkPublishDetails cognito-sync:GetCognitoEvents cognito-sync:GetIdentityPoolConfiguration cognito-sync:ListDatasets cognito-sync:ListIdentityPoolUsage cognito-sync:ListRecords cognito-sync:RegisterDevice cognito-sync:SetCognitoEvents cognito-sync:SetIdentityPoolConfiguration cognito-sync:SubscribeToDataset cognito-sync:UnsubscribeFromDataset cognito-sync:UpdateRecords |
| comprehendmedical | comprehendmedical:DescribeEntitiesDetectionV2Job comprehendmedical:DescribeICD10CMInferenceJob comprehendmedical:DescribePHIDetectionJob comprehendmedical:DescribeRxNormInferenceJob comprehendmedical:DescribeSNOMEDCTInferenceJob comprehendmedical:DetectEntitiesV2 comprehendmedical:DetectPHI comprehendmedical:InferICD10CM comprehendmedical:InferRxNorm comprehendmedical:InferSNOMEDCT comprehendmedical:ListEntitiesDetectionV2Jobs comprehendmedical:ListICD10CMInferenceJobs comprehendmedical:ListPHIDetectionJobs comprehendmedical:ListRxNormInferenceJobs comprehendmedical:ListSNOMEDCTInferenceJobs comprehendmedical:StartEntitiesDetectionV2Job comprehendmedical:StartICD10CMInferenceJob comprehendmedical:StartPHIDetectionJob comprehendmedical:StartRxNormInferenceJob comprehendmedical:StartSNOMEDCTInferenceJob comprehendmedical:StopEntitiesDetectionV2Job comprehendmedical:StopICD10CMInferenceJob comprehendmedical:StopPHIDetectionJob comprehendmedical:StopRxNormInferenceJob comprehendmedical:StopSNOMEDCTInferenceJob |
| compute-optimizer | compute-optimizer:DeleteRecommendationPreferences compute-optimizer:DescribeRecommendationExportJobs compute-optimizer:ExportAutoScalingGroupRecommendations compute-optimizer:ExportEBSVolumeRecommendations compute-optimizer:ExportEC2InstanceRecommendations compute-optimizer:ExportECSServiceRecommendations compute-optimizer:ExportIdleRecommendations compute-optimizer:ExportLambdaFunctionRecommendations compute-optimizer:ExportLicenseRecommendations compute-optimizer:ExportRDSDatabaseRecommendations compute-optimizer:GetEC2RecommendationProjectedMetrics compute-optimizer:GetECSServiceRecommendationProjectedMetrics compute-optimizer:GetEffectiveRecommendationPreferences compute-optimizer:GetEnrollmentStatus compute-optimizer:GetEnrollmentStatusesForOrganization compute-optimizer:GetRDSDatabaseRecommendationProjectedMetrics compute-optimizer:GetRecommendationPreferences compute-optimizer:GetRecommendationSummaries compute-optimizer:PutRecommendationPreferences compute-optimizer:UpdateEnrollmentStatus |
| config | config:BatchGetResourceConfig config:DeleteAggregationAuthorization config:DeleteConfigRule config:DeleteConfigurationAggregator config:DeleteConfigurationRecorder config:DeleteConformancePack config:DeleteDeliveryChannel config:DeleteEvaluationResults config:DeleteOrganizationConfigRule config:DeleteOrganizationConformancePack config:DeletePendingAggregationRequest config:DeleteRemediationConfiguration config:DeleteRemediationExceptions config:DeleteResourceConfig config:DeleteRetentionConfiguration config:DeleteStoredQuery config:DeliverConfigSnapshot config:DescribeAggregateComplianceByConfigRules config:DescribeAggregateComplianceByConformancePacks config:DescribeAggregationAuthorizations config:DescribeComplianceByConfigRule config:DescribeComplianceByResource config:DescribeConfigRuleEvaluationStatus config:DescribeConfigRules config:DescribeConfigurationAggregatorSourcesStatus config:DescribeConfigurationAggregators config:DescribeConfigurationRecorderStatus config:DescribeConfigurationRecorders config:DescribeConformancePackCompliance config:DescribeConformancePackStatus config:DescribeConformancePacks config:DescribeDeliveryChannelStatus config:DescribeDeliveryChannels config:DescribeOrganizationConfigRuleStatuses config:DescribeOrganizationConfigRules config:DescribeOrganizationConformancePackStatuses config:DescribeOrganizationConformancePacks config:DescribePendingAggregationRequests config:DescribeRemediationConfigurations config:DescribeRemediationExceptions config:DescribeRemediationExecutionStatus config:DescribeRetentionConfigurations config:GetComplianceDetailsByConfigRule config:GetComplianceDetailsByResource config:GetComplianceSummaryByConfigRule config:GetComplianceSummaryByResourceType config:GetConformancePackComplianceDetails config:GetConformancePackComplianceSummary config:GetCustomRulePolicy config:GetDiscoveredResourceCounts config:GetOrganizationConfigRuleDetailedStatus config:GetOrganizationConformancePackDetailedStatus config:GetOrganizationCustomRulePolicy config:GetResourceConfigHistory config:GetResourceEvaluationSummary config:GetStoredQuery config:ListConfigurationRecorders config:ListConformancePackComplianceScores config:ListDiscoveredResources config:ListResourceEvaluations config:ListStoredQueries config:PutConfigRule config:PutConfigurationAggregator config:PutConfigurationRecorder config:PutConformancePack config:PutDeliveryChannel config:PutEvaluations config:PutExternalEvaluation config:PutOrganizationConfigRule config:PutOrganizationConformancePack config:PutRemediationConfigurations config:PutRemediationExceptions config:PutResourceConfig config:PutRetentionConfiguration config:PutStoredQuery config:SelectResourceConfig config:StartConfigRulesEvaluation config:StartConfigurationRecorder config:StartRemediationExecution config:StartResourceEvaluation config:StopConfigurationRecorder |
| connect | connect:ActivateEvaluationForm connect:AssociateAnalyticsDataSet connect:AssociateApprovedOrigin connect:AssociateBot connect:AssociateContactWithUser connect:AssociateDefaultVocabulary connect:AssociateEmailAddressAlias connect:AssociateFlow connect:AssociateInstanceStorageConfig connect:AssociateLambdaFunction connect:AssociateLexBot connect:AssociatePhoneNumberContactFlow connect:AssociateQueueQuickConnects connect:AssociateRoutingProfileQueues connect:AssociateSecurityKey connect:AssociateUserProficiencies connect:BatchAssociateAnalyticsDataSet connect:BatchCreateDataTableValue connect:BatchDeleteDataTableValue connect:BatchDescribeDataTableValue connect:BatchDisassociateAnalyticsDataSet connect:BatchGetFlowAssociation connect:BatchPutContact connect:BatchUpdateDataTableValue connect:ClaimPhoneNumber connect:CreateAgentStatus connect:CreateContact connect:CreateContactFlow connect:CreateContactFlowModule connect:CreateContactFlowModuleAlias connect:CreateContactFlowModuleVersion connect:CreateContactFlowVersion connect:CreateDataTable connect:CreateDataTableAttribute connect:CreateEmailAddress connect:CreateEvaluationForm connect:CreateHoursOfOperation connect:CreateInstance connect:CreateIntegrationAssociation connect:CreateParticipant connect:CreatePersistentContactAssociation connect:CreatePredefinedAttribute connect:CreatePrompt connect:CreatePushNotificationRegistration connect:CreateQueue connect:CreateQuickConnect connect:CreateRoutingProfile connect:CreateRule connect:CreateSecurityProfile connect:CreateTaskTemplate connect:CreateTrafficDistributionGroup connect:CreateUseCase connect:CreateUser connect:CreateUserHierarchyGroup connect:CreateView connect:CreateViewVersion connect:CreateVocabulary connect:CreateWorkspace connect:DeactivateEvaluationForm connect:DeleteContactEvaluation connect:DeleteContactFlow connect:DeleteContactFlowModule connect:DeleteContactFlowModuleAlias connect:DeleteContactFlowModuleVersion connect:DeleteContactFlowVersion connect:DeleteDataTable connect:DeleteDataTableAttribute connect:DeleteEmailAddress connect:DeleteEvaluationForm connect:DeleteHoursOfOperation connect:DeleteHoursOfOperationOverride connect:DeleteInstance connect:DeleteIntegrationAssociation connect:DeletePredefinedAttribute connect:DeletePrompt connect:DeletePushNotificationRegistration connect:DeleteQueue connect:DeleteQuickConnect connect:DeleteRoutingProfile connect:DeleteRule connect:DeleteSecurityProfile connect:DeleteTaskTemplate connect:DeleteTrafficDistributionGroup connect:DeleteUseCase connect:DeleteUser connect:DeleteUserHierarchyGroup connect:DeleteView connect:DeleteVocabulary connect:DeleteWorkspace connect:DeleteWorkspaceMedia connect:DescribeAuthenticationProfile connect:DescribeContactFlowModuleAlias connect:DescribeDataTableAttribute connect:DescribeHoursOfOperationOverride connect:DescribeInstanceAttribute connect:DescribeInstanceStorageConfig connect:DescribePhoneNumber connect:DescribeRule connect:DescribeTrafficDistributionGroup connect:DescribeUserHierarchyStructure connect:DescribeVocabulary connect:DisassociateAnalyticsDataSet connect:DisassociateApprovedOrigin connect:DisassociateBot connect:DisassociateEmailAddressAlias connect:DisassociateFlow connect:DisassociateInstanceStorageConfig connect:DisassociateLambdaFunction connect:DisassociateLexBot connect:DisassociatePhoneNumberContactFlow connect:DisassociateQueueQuickConnects connect:DisassociateRoutingProfileQueues connect:DisassociateSecurityKey connect:DisassociateUserProficiencies connect:DismissUserContact connect:EvaluateDataTableValues connect:GetContactAttributes connect:GetContactMetrics connect:GetCurrentMetricData connect:GetCurrentUserData connect:GetEffectiveHoursOfOperations connect:GetFederationToken connect:GetFlowAssociation connect:GetMetricData connect:GetMetricDataV2 connect:GetPromptFile connect:GetTaskTemplate connect:GetTrafficDistribution connect:ImportPhoneNumber connect:ImportWorkspaceMedia connect:ListAnalyticsDataAssociations connect:ListAnalyticsDataLakeDataSets connect:ListApprovedOrigins connect:ListAssociatedContacts connect:ListAuthenticationProfiles connect:ListBots connect:ListContactEvaluations connect:ListContactFlowModuleAliases connect:ListContactFlowModuleVersions connect:ListContactFlowModules connect:ListContactFlowVersions connect:ListContactFlows connect:ListContactReferences connect:ListDataTableAttributes connect:ListDataTablePrimaryValues connect:ListDataTableValues connect:ListDataTables connect:ListDefaultVocabularies connect:ListEvaluationFormVersions connect:ListEvaluationForms connect:ListFlowAssociations connect:ListHoursOfOperations connect:ListInstanceAttributes connect:ListInstanceStorageConfigs connect:ListIntegrationAssociations connect:ListLambdaFunctions connect:ListLexBots connect:ListPhoneNumbers connect:ListPhoneNumbersV2 connect:ListPredefinedAttributes connect:ListPrompts connect:ListQueueQuickConnects connect:ListQueues connect:ListQuickConnects connect:ListRealtimeContactAnalysisSegmentsV2 connect:ListRoutingProfileManualAssignmentQueues connect:ListRoutingProfileQueues connect:ListRoutingProfiles connect:ListRules connect:ListSecurityKeys connect:ListSecurityProfileApplications connect:ListSecurityProfileFlowModules connect:ListSecurityProfilePermissions connect:ListSecurityProfiles connect:ListTaskTemplates connect:ListTrafficDistributionGroups connect:ListUseCases connect:ListUserHierarchyGroups connect:ListUsers connect:ListViewVersions connect:ListViews connect:ListWorkspaceMedia connect:ListWorkspacePages connect:ListWorkspaces connect:MonitorContact connect:PauseContact connect:PutUserStatus connect:ReleasePhoneNumber connect:ReplicateInstance connect:ResumeContact connect:ResumeContactRecording connect:SearchAgentStatuses connect:SearchAvailablePhoneNumbers connect:SearchContactEvaluations connect:SearchContactFlowModules connect:SearchContactFlows connect:SearchContacts connect:SearchDataTables connect:SearchEmailAddresses connect:SearchEvaluationForms connect:SearchHoursOfOperations connect:SearchPredefinedAttributes connect:SearchPrompts connect:SearchQueues connect:SearchQuickConnects connect:SearchRoutingProfiles connect:SearchSecurityProfiles connect:SearchUserHierarchyGroups connect:SearchViews connect:SearchVocabularies connect:SearchWorkspaceAssociations connect:SearchWorkspaces connect:SendChatIntegrationEvent connect:SendOutboundEmail connect:StartChatContact connect:StartContactEvaluation connect:StartContactMediaProcessing connect:StartContactRecording connect:StartContactStreaming connect:StartEmailContact connect:StartOutboundChatContact connect:StartOutboundEmailContact connect:StartOutboundVoiceContact connect:StartScreenSharing connect:StartTaskContact connect:StartWebRTCContact connect:StopContact connect:StopContactMediaProcessing connect:StopContactRecording connect:StopContactStreaming connect:SubmitContactEvaluation connect:SuspendContactRecording connect:TransferContact connect:UpdateAgentStatus connect:UpdateAuthenticationProfile connect:UpdateContact connect:UpdateContactAttributes connect:UpdateContactEvaluation connect:UpdateContactFlowContent connect:UpdateContactFlowMetadata connect:UpdateContactFlowModuleAlias connect:UpdateContactFlowModuleContent connect:UpdateContactFlowModuleMetadata connect:UpdateContactFlowName connect:UpdateContactRoutingData connect:UpdateContactSchedule connect:UpdateDataTableAttribute connect:UpdateDataTableMetadata connect:UpdateDataTablePrimaryValues connect:UpdateEmailAddressMetadata connect:UpdateEvaluationForm connect:UpdateHoursOfOperation connect:UpdateHoursOfOperationOverride connect:UpdateInstanceAttribute connect:UpdateInstanceStorageConfig connect:UpdateParticipantAuthentication connect:UpdateParticipantRoleConfig connect:UpdatePhoneNumber connect:UpdatePhoneNumberMetadata connect:UpdatePredefinedAttribute connect:UpdatePrompt connect:UpdateQueueHoursOfOperation connect:UpdateQueueMaxContacts connect:UpdateQueueName connect:UpdateQueueOutboundCallerConfig connect:UpdateQueueOutboundEmailConfig connect:UpdateQueueStatus connect:UpdateQuickConnectConfig connect:UpdateQuickConnectName connect:UpdateRoutingProfileAgentAvailabilityTimer connect:UpdateRoutingProfileConcurrency connect:UpdateRoutingProfileDefaultOutboundQueue connect:UpdateRoutingProfileName connect:UpdateRoutingProfileQueues connect:UpdateRule connect:UpdateSecurityProfile connect:UpdateTaskTemplate connect:UpdateTrafficDistribution connect:UpdateUserHierarchy connect:UpdateUserHierarchyGroupName connect:UpdateUserHierarchyStructure connect:UpdateUserIdentityInfo connect:UpdateUserPhoneConfig connect:UpdateUserProficiencies connect:UpdateUserRoutingProfile connect:UpdateUserSecurityProfiles connect:UpdateViewContent connect:UpdateViewMetadata connect:UpdateWorkspaceMetadata connect:UpdateWorkspaceTheme connect:UpdateWorkspaceVisibility |
| cur | cur:DeleteReportDefinition cur:DescribeReportDefinitions cur:ModifyReportDefinition cur:PutReportDefinition |
| databrew | databrew:BatchDeleteRecipeVersion databrew:CreateDataset databrew:CreateProfileJob databrew:CreateProject databrew:CreateRecipe databrew:CreateRecipeJob databrew:CreateRuleset databrew:CreateSchedule databrew:DeleteDataset databrew:DeleteJob databrew:DeleteProject databrew:DeleteRecipeVersion databrew:DeleteRuleset databrew:DeleteSchedule databrew:DescribeDataset databrew:DescribeJob databrew:DescribeJobRun databrew:DescribeProject databrew:DescribeRecipe databrew:DescribeRuleset databrew:DescribeSchedule databrew:ListDatasets databrew:ListJobRuns databrew:ListJobs databrew:ListProjects databrew:ListRecipeVersions databrew:ListRecipes databrew:ListRulesets databrew:ListSchedules databrew:PublishRecipe databrew:SendProjectSessionAction databrew:StartJobRun databrew:StartProjectSession databrew:StopJobRun databrew:UpdateDataset databrew:UpdateProfileJob databrew:UpdateProject databrew:UpdateRecipe databrew:UpdateRecipeJob databrew:UpdateRuleset databrew:UpdateSchedule |
| dataexchange | dataexchange:AcceptDataGrant dataexchange:CancelJob dataexchange:CreateDataGrant dataexchange:CreateDataSet dataexchange:CreateEventAction dataexchange:CreateJob dataexchange:CreateRevision dataexchange:DeleteAsset dataexchange:DeleteDataGrant dataexchange:DeleteEventAction dataexchange:DeleteRevision dataexchange:GetDataGrant dataexchange:GetEventAction dataexchange:GetJob dataexchange:GetReceivedDataGrant dataexchange:ListDataGrants dataexchange:ListDataSetRevisions dataexchange:ListDataSets dataexchange:ListEventActions dataexchange:ListJobs dataexchange:ListReceivedDataGrants dataexchange:ListRevisionAssets dataexchange:RevokeRevision dataexchange:SendDataSetNotification dataexchange:StartJob dataexchange:UpdateAsset dataexchange:UpdateDataSet dataexchange:UpdateEventAction dataexchange:UpdateRevision |
| datapipeline | datapipeline:ActivatePipeline datapipeline:CreatePipeline datapipeline:DeactivatePipeline datapipeline:DeletePipeline datapipeline:DescribeObjects datapipeline:DescribePipelines datapipeline:EvaluateExpression datapipeline:GetPipelineDefinition datapipeline:ListPipelines datapipeline:PollForTask datapipeline:PutPipelineDefinition datapipeline:QueryObjects datapipeline:ReportTaskProgress datapipeline:ReportTaskRunnerHeartbeat datapipeline:SetStatus datapipeline:SetTaskStatus datapipeline:ValidatePipelineDefinition |
| dax | dax:CreateCluster dax:DecreaseReplicationFactor dax:DeleteCluster dax:DeleteParameterGroup dax:DeleteSubnetGroup dax:DescribeClusters dax:DescribeDefaultParameters dax:DescribeEvents dax:DescribeParameterGroups dax:DescribeParameters dax:DescribeSubnetGroups dax:IncreaseReplicationFactor dax:RebootNode dax:UpdateCluster dax:UpdateParameterGroup dax:UpdateSubnetGroup |
| devicefarm | devicefarm:CreateDevicePool devicefarm:CreateInstanceProfile devicefarm:CreateNetworkProfile devicefarm:CreateProject devicefarm:CreateRemoteAccessSession devicefarm:CreateTestGridProject devicefarm:CreateTestGridUrl devicefarm:CreateUpload devicefarm:CreateVPCEConfiguration devicefarm:DeleteDevicePool devicefarm:DeleteInstanceProfile devicefarm:DeleteNetworkProfile devicefarm:DeleteProject devicefarm:DeleteRemoteAccessSession devicefarm:DeleteRun devicefarm:DeleteTestGridProject devicefarm:DeleteUpload devicefarm:DeleteVPCEConfiguration devicefarm:GetAccountSettings devicefarm:GetDevice devicefarm:GetDeviceInstance devicefarm:GetDevicePool devicefarm:GetDevicePoolCompatibility devicefarm:GetInstanceProfile devicefarm:GetJob devicefarm:GetNetworkProfile devicefarm:GetOfferingStatus devicefarm:GetProject devicefarm:GetRemoteAccessSession devicefarm:GetRun devicefarm:GetSuite devicefarm:GetTest devicefarm:GetTestGridProject devicefarm:GetTestGridSession devicefarm:GetUpload devicefarm:GetVPCEConfiguration devicefarm:ListArtifacts devicefarm:ListDeviceInstances devicefarm:ListDevicePools devicefarm:ListDevices devicefarm:ListInstanceProfiles devicefarm:ListJobs devicefarm:ListNetworkProfiles devicefarm:ListOfferingPromotions devicefarm:ListOfferingTransactions devicefarm:ListOfferings devicefarm:ListProjects devicefarm:ListRemoteAccessSessions devicefarm:ListRuns devicefarm:ListSamples devicefarm:ListSuites devicefarm:ListTestGridProjects devicefarm:ListTestGridSessionActions devicefarm:ListTestGridSessionArtifacts devicefarm:ListTestGridSessions devicefarm:ListTests devicefarm:ListUniqueProblems devicefarm:ListUploads devicefarm:ListVPCEConfigurations devicefarm:PurchaseOffering devicefarm:RenewOffering devicefarm:ScheduleRun devicefarm:StopJob devicefarm:StopRemoteAccessSession devicefarm:StopRun devicefarm:UpdateDeviceInstance devicefarm:UpdateDevicePool devicefarm:UpdateInstanceProfile devicefarm:UpdateNetworkProfile devicefarm:UpdateProject devicefarm:UpdateTestGridProject devicefarm:UpdateUpload devicefarm:UpdateVPCEConfiguration |
| devops-guru | devops-guru:AddNotificationChannel devops-guru:DeleteInsight devops-guru:DescribeAccountHealth devops-guru:DescribeAccountOverview devops-guru:DescribeAnomaly devops-guru:DescribeEventSourcesConfig devops-guru:DescribeFeedback devops-guru:DescribeInsight devops-guru:DescribeOrganizationHealth devops-guru:DescribeOrganizationOverview devops-guru:DescribeOrganizationResourceCollectionHealth devops-guru:DescribeResourceCollectionHealth devops-guru:DescribeServiceIntegration devops-guru:GetCostEstimation devops-guru:GetResourceCollection devops-guru:ListAnomaliesForInsight devops-guru:ListAnomalousLogGroups devops-guru:ListEvents devops-guru:ListInsights devops-guru:ListMonitoredResources devops-guru:ListNotificationChannels devops-guru:ListOrganizationInsights devops-guru:ListRecommendations devops-guru:PutFeedback devops-guru:RemoveNotificationChannel devops-guru:SearchInsights devops-guru:SearchOrganizationInsights devops-guru:StartCostEstimation devops-guru:UpdateEventSourcesConfig devops-guru:UpdateResourceCollection devops-guru:UpdateServiceIntegration |
| directconnect | directconnect:AcceptDirectConnectGatewayAssociationProposal directconnect:AllocateConnectionOnInterconnect directconnect:AllocateHostedConnection directconnect:AllocatePrivateVirtualInterface directconnect:AllocatePublicVirtualInterface directconnect:AllocateTransitVirtualInterface directconnect:AssociateConnectionWithLag directconnect:AssociateHostedConnection directconnect:AssociateMacSecKey directconnect:AssociateVirtualInterface directconnect:ConfirmConnection directconnect:ConfirmCustomerAgreement directconnect:ConfirmPrivateVirtualInterface directconnect:ConfirmPublicVirtualInterface directconnect:ConfirmTransitVirtualInterface directconnect:CreateBGPPeer directconnect:CreateConnection directconnect:CreateDirectConnectGateway directconnect:CreateDirectConnectGatewayAssociation directconnect:CreateDirectConnectGatewayAssociationProposal directconnect:CreateInterconnect directconnect:CreateLag directconnect:CreatePrivateVirtualInterface directconnect:CreatePublicVirtualInterface directconnect:CreateTransitVirtualInterface directconnect:DeleteBGPPeer directconnect:DeleteConnection directconnect:DeleteDirectConnectGateway directconnect:DeleteDirectConnectGatewayAssociation directconnect:DeleteDirectConnectGatewayAssociationProposal directconnect:DeleteInterconnect directconnect:DeleteLag directconnect:DeleteVirtualInterface directconnect:DescribeConnectionLoa directconnect:DescribeConnections directconnect:DescribeConnectionsOnInterconnect directconnect:DescribeCustomerMetadata directconnect:DescribeDirectConnectGatewayAssociationProposals directconnect:DescribeDirectConnectGatewayAssociations directconnect:DescribeDirectConnectGatewayAttachments directconnect:DescribeDirectConnectGateways directconnect:DescribeHostedConnections directconnect:DescribeInterconnectLoa directconnect:DescribeInterconnects directconnect:DescribeLags directconnect:DescribeLoa directconnect:DescribeLocations directconnect:DescribeRouterConfiguration directconnect:DescribeVirtualGateways directconnect:DescribeVirtualInterfaces directconnect:DisassociateConnectionFromLag directconnect:DisassociateMacSecKey directconnect:ListVirtualInterfaceTestHistory directconnect:StartBgpFailoverTest directconnect:StopBgpFailoverTest directconnect:UpdateConnection directconnect:UpdateDirectConnectGateway directconnect:UpdateDirectConnectGatewayAssociation directconnect:UpdateLag directconnect:UpdateVirtualInterfaceAttributes |
| dlm | dlm:CreateLifecyclePolicy dlm:DeleteLifecyclePolicy dlm:GetLifecyclePolicies dlm:GetLifecyclePolicy dlm:UpdateLifecyclePolicy |
| dms | dms:ApplyPendingMaintenanceAction dms:AssociateExtensionPack dms:BatchStartRecommendations dms:CancelMetadataModelCreation dms:CancelReplicationTaskAssessmentRun dms:CreateDataProvider dms:CreateEndpoint dms:CreateEventSubscription dms:CreateInstanceProfile dms:CreateMigrationProject dms:CreateReplicationConfig dms:CreateReplicationInstance dms:CreateReplicationSubnetGroup dms:CreateReplicationTask dms:DeleteCertificate dms:DeleteConnection dms:DeleteDataMigration dms:DeleteDataProvider dms:DeleteEndpoint dms:DeleteEventSubscription dms:DeleteFleetAdvisorCollector dms:DeleteFleetAdvisorDatabases dms:DeleteInstanceProfile dms:DeleteMigrationProject dms:DeleteReplicationConfig dms:DeleteReplicationInstance dms:DeleteReplicationSubnetGroup dms:DeleteReplicationTask dms:DeleteReplicationTaskAssessmentRun dms:DescribeAccountAttributes dms:DescribeApplicableIndividualAssessments dms:DescribeCertificates dms:DescribeConnections dms:DescribeDataMigrations dms:DescribeEndpointSettings dms:DescribeEndpointTypes dms:DescribeEndpoints dms:DescribeEngineVersions dms:DescribeEventCategories dms:DescribeEventSubscriptions dms:DescribeEvents dms:DescribeFleetAdvisorCollectors dms:DescribeFleetAdvisorDatabases dms:DescribeFleetAdvisorLsaAnalysis dms:DescribeFleetAdvisorSchemaObjectSummary dms:DescribeFleetAdvisorSchemas dms:DescribeMetadataModel dms:DescribeMetadataModelChildren dms:DescribeMetadataModelCreations dms:DescribeMetadataModelImports dms:DescribeOrderableReplicationInstances dms:DescribePendingMaintenanceActions dms:DescribeRecommendationLimitations dms:DescribeRecommendations dms:DescribeRefreshSchemasStatus dms:DescribeReplicationConfigs dms:DescribeReplicationInstanceTaskLogs dms:DescribeReplicationInstances dms:DescribeReplicationSubnetGroups dms:DescribeReplicationTableStatistics dms:DescribeReplicationTaskAssessmentResults dms:DescribeReplicationTaskAssessmentRuns dms:DescribeReplicationTaskIndividualAssessments dms:DescribeReplicationTasks dms:DescribeReplications dms:DescribeSchemas dms:DescribeTableStatistics dms:ExportMetadataModelAssessment dms:ImportCertificate dms:ListDataProviders dms:ListExtensionPacks dms:ListInstanceProfiles dms:ListMetadataModelAssessments dms:ListMetadataModelConversions dms:ListMetadataModelExports dms:ListMigrationProjects dms:ModifyDataMigration dms:ModifyEndpoint dms:ModifyEventSubscription dms:ModifyReplicationConfig dms:ModifyReplicationInstance dms:ModifyReplicationSubnetGroup dms:ModifyReplicationTask dms:MoveReplicationTask dms:RebootReplicationInstance dms:RefreshSchemas dms:ReloadReplicationTables dms:ReloadTables dms:RunFleetAdvisorLsaAnalysis dms:StartMetadataModelAssessment dms:StartMetadataModelConversion dms:StartMetadataModelCreation dms:StartMetadataModelExportAsScripts dms:StartMetadataModelExportToTarget dms:StartRecommendations dms:StartReplication dms:StartReplicationTask dms:StartReplicationTaskAssessment dms:StopDataMigration dms:StopReplicationTask dms:TestConnection dms:UpdateConversionConfiguration dms:UpdateDataProvider dms:UpdateInstanceProfile dms:UpdateMigrationProject dms:UpdateSubscriptionsToEventBridge |
| docdb-elastic | docdb-elastic:ApplyPendingMaintenanceAction docdb-elastic:CopyClusterSnapshot docdb-elastic:DeleteCluster docdb-elastic:DeleteClusterSnapshot docdb-elastic:GetCluster docdb-elastic:GetClusterSnapshot docdb-elastic:GetPendingMaintenanceAction docdb-elastic:ListClusterSnapshots docdb-elastic:ListClusters docdb-elastic:ListPendingMaintenanceActions docdb-elastic:RestoreClusterFromSnapshot docdb-elastic:StartCluster docdb-elastic:StopCluster docdb-elastic:UpdateCluster |
| dynamodb | dynamodb:AssociateTableReplica dynamodb:CreateBackup dynamodb:CreateGlobalTable dynamodb:CreateTable dynamodb:DeleteBackup dynamodb:DeleteTable dynamodb:DescribeBackup dynamodb:DescribeContinuousBackups dynamodb:DescribeContributorInsights dynamodb:DescribeEndpoints dynamodb:DescribeExport dynamodb:DescribeGlobalTable dynamodb:DescribeGlobalTableSettings dynamodb:DescribeImport dynamodb:DescribeKinesisStreamingDestination dynamodb:DescribeLimits dynamodb:DescribeStream dynamodb:DescribeTable dynamodb:DescribeTableReplicaAutoScaling dynamodb:DescribeTimeToLive dynamodb:DisableKinesisStreamingDestination dynamodb:EnableKinesisStreamingDestination dynamodb:ExportTableToPointInTime dynamodb:GetResourcePolicy dynamodb:ImportTable dynamodb:ListBackups dynamodb:ListContributorInsights dynamodb:ListExports dynamodb:ListGlobalTables dynamodb:ListImports dynamodb:ListStreams dynamodb:ListTables dynamodb:ReadDataForReplication dynamodb:ReplicateSettings dynamodb:RestoreTableFromBackup dynamodb:RestoreTableToPointInTime dynamodb:UpdateContinuousBackups dynamodb:UpdateContributorInsights dynamodb:UpdateGlobalTable dynamodb:UpdateGlobalTableSettings dynamodb:UpdateKinesisStreamingDestination dynamodb:UpdateTable dynamodb:UpdateTableReplicaAutoScaling dynamodb:UpdateTimeToLive dynamodb:WriteDataForReplication |
| ebs | ebs:CompleteSnapshot ebs:StartSnapshot |
| ec2 | ec2:AcceptAddressTransfer ec2:AcceptCapacityReservationBillingOwnership ec2:AcceptReservedInstancesExchangeQuote ec2:AcceptTransitGatewayMulticastDomainAssociations ec2:AcceptTransitGatewayPeeringAttachment ec2:AcceptTransitGatewayVpcAttachment ec2:AcceptVpcEndpointConnections ec2:AcceptVpcPeeringConnection ec2:AdvertiseByoipCidr ec2:AllocateAddress ec2:AllocateHosts ec2:AllocateIpamPoolCidr ec2:ApplySecurityGroupsToClientVpnTargetNetwork ec2:AssignIpv6Addresses ec2:AssignPrivateIpAddresses ec2:AssignPrivateNatGatewayAddress ec2:AssociateAddress ec2:AssociateCapacityReservationBillingOwner ec2:AssociateClientVpnTargetNetwork ec2:AssociateDhcpOptions ec2:AssociateEnclaveCertificateIamRole ec2:AssociateIamInstanceProfile ec2:AssociateInstanceEventWindow ec2:AssociateIpamByoasn ec2:AssociateIpamResourceDiscovery ec2:AssociateNatGatewayAddress ec2:AssociateRouteServer ec2:AssociateRouteTable ec2:AssociateSecurityGroupVpc ec2:AssociateSubnetCidrBlock ec2:AssociateTransitGatewayMulticastDomain ec2:AssociateTransitGatewayPolicyTable ec2:AssociateTransitGatewayRouteTable ec2:AssociateTrunkInterface ec2:AssociateVpcCidrBlock ec2:AttachClassicLinkVpc ec2:AttachInternetGateway ec2:AttachNetworkInterface ec2:AttachVerifiedAccessTrustProvider ec2:AttachVolume ec2:AttachVpnGateway ec2:AuthorizeClientVpnIngress ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:BundleInstance ec2:CancelBundleTask ec2:CancelCapacityReservation ec2:CancelCapacityReservationFleets ec2:CancelConversionTask ec2:CancelDeclarativePoliciesReport ec2:CancelExportTask ec2:CancelImageLaunchPermission ec2:CancelImportTask ec2:CancelReservedInstancesListing ec2:CancelSpotFleetRequests ec2:CancelSpotInstanceRequests ec2:ConfirmProductInstance ec2:CopyFpgaImage ec2:CopyImage ec2:CopySnapshot ec2:CopyVolumes ec2:CreateCapacityManagerDataExport ec2:CreateCapacityReservation ec2:CreateCapacityReservationBySplitting ec2:CreateCapacityReservationFleet ec2:CreateCarrierGateway ec2:CreateClientVpnEndpoint ec2:CreateClientVpnRoute ec2:CreateCoipCidr ec2:CreateCoipPool ec2:CreateCustomerGateway ec2:CreateDefaultSubnet ec2:CreateDefaultVpc ec2:CreateDelegateMacVolumeOwnershipTask ec2:CreateDhcpOptions ec2:CreateEgressOnlyInternetGateway ec2:CreateFleet ec2:CreateFlowLogs ec2:CreateFpgaImage ec2:CreateImage ec2:CreateImageUsageReport ec2:CreateInstanceConnectEndpoint ec2:CreateInstanceEventWindow ec2:CreateInstanceExportTask ec2:CreateInternetGateway ec2:CreateInterruptibleCapacityReservationAllocation ec2:CreateIpam ec2:CreateIpamExternalResourceVerificationToken ec2:CreateIpamPolicy ec2:CreateIpamPool ec2:CreateIpamPrefixListResolver ec2:CreateIpamPrefixListResolverTarget ec2:CreateIpamResourceDiscovery ec2:CreateIpamScope ec2:CreateKeyPair ec2:CreateLaunchTemplateVersion ec2:CreateLocalGatewayRoute ec2:CreateLocalGatewayRouteTable ec2:CreateLocalGatewayRouteTableVirtualInterfaceGroupAssociation ec2:CreateLocalGatewayRouteTableVpcAssociation ec2:CreateLocalGatewayVirtualInterface ec2:CreateLocalGatewayVirtualInterfaceGroup ec2:CreateMacSystemIntegrityProtectionModificationTask ec2:CreateManagedPrefixList ec2:CreateNatGateway ec2:CreateNetworkAcl ec2:CreateNetworkAclEntry ec2:CreateNetworkInsightsAccessScope ec2:CreateNetworkInsightsPath ec2:CreateNetworkInterface ec2:CreateNetworkInterfacePermission ec2:CreatePlacementGroup ec2:CreatePublicIpv4Pool ec2:CreateReplaceRootVolumeTask ec2:CreateReservedInstancesListing ec2:CreateRestoreImageTask ec2:CreateRoute ec2:CreateRouteServer ec2:CreateRouteServerEndpoint ec2:CreateRouteServerPeer ec2:CreateRouteTable ec2:CreateSecurityGroup ec2:CreateSnapshots ec2:CreateSpotDatafeedSubscription ec2:CreateStoreImageTask ec2:CreateSubnet ec2:CreateSubnetCidrReservation ec2:CreateTrafficMirrorFilter ec2:CreateTrafficMirrorFilterRule ec2:CreateTrafficMirrorSession ec2:CreateTrafficMirrorTarget ec2:CreateTransitGateway ec2:CreateTransitGatewayConnect ec2:CreateTransitGatewayConnectPeer ec2:CreateTransitGatewayMeteringPolicy ec2:CreateTransitGatewayMeteringPolicyEntry ec2:CreateTransitGatewayMulticastDomain ec2:CreateTransitGatewayPeeringAttachment ec2:CreateTransitGatewayPolicyTable ec2:CreateTransitGatewayPrefixListReference ec2:CreateTransitGatewayRoute ec2:CreateTransitGatewayRouteTable ec2:CreateTransitGatewayRouteTableAnnouncement ec2:CreateTransitGatewayVpcAttachment ec2:CreateVerifiedAccessEndpoint ec2:CreateVerifiedAccessGroup ec2:CreateVerifiedAccessInstance ec2:CreateVerifiedAccessTrustProvider ec2:CreateVolume ec2:CreateVpc ec2:CreateVpcBlockPublicAccessExclusion ec2:CreateVpcEncryptionControl ec2:CreateVpcEndpoint ec2:CreateVpcEndpointConnectionNotification ec2:CreateVpcEndpointServiceConfiguration ec2:CreateVpcPeeringConnection ec2:CreateVpnConcentrator ec2:CreateVpnConnection ec2:CreateVpnConnectionRoute ec2:CreateVpnGateway ec2:DeleteCapacityManagerDataExport ec2:DeleteCarrierGateway ec2:DeleteClientVpnEndpoint ec2:DeleteClientVpnRoute ec2:DeleteCoipCidr ec2:DeleteCoipPool ec2:DeleteCustomerGateway ec2:DeleteDhcpOptions ec2:DeleteEgressOnlyInternetGateway ec2:DeleteFleets ec2:DeleteFlowLogs ec2:DeleteFpgaImage ec2:DeleteImageUsageReport ec2:DeleteInstanceConnectEndpoint ec2:DeleteInstanceEventWindow ec2:DeleteInternetGateway ec2:DeleteIpam ec2:DeleteIpamExternalResourceVerificationToken ec2:DeleteIpamPolicy ec2:DeleteIpamPool ec2:DeleteIpamPrefixListResolver ec2:DeleteIpamPrefixListResolverTarget ec2:DeleteIpamResourceDiscovery ec2:DeleteIpamScope ec2:DeleteKeyPair ec2:DeleteLaunchTemplate ec2:DeleteLaunchTemplateVersions ec2:DeleteLocalGatewayRoute ec2:DeleteLocalGatewayRouteTable ec2:DeleteLocalGatewayRouteTableVirtualInterfaceGroupAssociation ec2:DeleteLocalGatewayRouteTableVpcAssociation ec2:DeleteLocalGatewayVirtualInterface ec2:DeleteLocalGatewayVirtualInterfaceGroup ec2:DeleteManagedPrefixList ec2:DeleteNatGateway ec2:DeleteNetworkAcl ec2:DeleteNetworkAclEntry ec2:DeleteNetworkInsightsAccessScope ec2:DeleteNetworkInsightsAccessScopeAnalysis ec2:DeleteNetworkInsightsAnalysis ec2:DeleteNetworkInsightsPath ec2:DeleteNetworkInterface ec2:DeleteNetworkInterfacePermission ec2:DeletePlacementGroup ec2:DeletePublicIpv4Pool ec2:DeleteQueuedReservedInstances ec2:DeleteRoute ec2:DeleteRouteServer ec2:DeleteRouteServerEndpoint ec2:DeleteRouteServerPeer ec2:DeleteRouteTable ec2:DeleteSecurityGroup ec2:DeleteSpotDatafeedSubscription ec2:DeleteSubnet ec2:DeleteSubnetCidrReservation ec2:DeleteTrafficMirrorFilter ec2:DeleteTrafficMirrorFilterRule ec2:DeleteTrafficMirrorSession ec2:DeleteTrafficMirrorTarget ec2:DeleteTransitGateway ec2:DeleteTransitGatewayConnect ec2:DeleteTransitGatewayConnectPeer ec2:DeleteTransitGatewayMeteringPolicy ec2:DeleteTransitGatewayMeteringPolicyEntry ec2:DeleteTransitGatewayMulticastDomain ec2:DeleteTransitGatewayPeeringAttachment ec2:DeleteTransitGatewayPolicyTable ec2:DeleteTransitGatewayPrefixListReference ec2:DeleteTransitGatewayRoute ec2:DeleteTransitGatewayRouteTable ec2:DeleteTransitGatewayRouteTableAnnouncement ec2:DeleteTransitGatewayVpcAttachment ec2:DeleteVerifiedAccessEndpoint ec2:DeleteVerifiedAccessGroup ec2:DeleteVerifiedAccessInstance ec2:DeleteVerifiedAccessTrustProvider ec2:DeleteVolume ec2:DeleteVpc ec2:DeleteVpcBlockPublicAccessExclusion ec2:DeleteVpcEncryptionControl ec2:DeleteVpcEndpointConnectionNotifications ec2:DeleteVpcEndpointServiceConfigurations ec2:DeleteVpcEndpoints ec2:DeleteVpcPeeringConnection ec2:DeleteVpnConcentrator ec2:DeleteVpnConnection ec2:DeleteVpnConnectionRoute ec2:DeleteVpnGateway ec2:DeprovisionByoipCidr ec2:DeprovisionIpamByoasn ec2:DeprovisionIpamPoolCidr ec2:DeprovisionPublicIpv4PoolCidr ec2:DeregisterImage ec2:DeregisterInstanceEventNotificationAttributes ec2:DeregisterTransitGatewayMulticastGroupMembers ec2:DeregisterTransitGatewayMulticastGroupSources ec2:DescribeAccountAttributes ec2:DescribeAddressTransfers ec2:DescribeAddresses ec2:DescribeAddressesAttribute ec2:DescribeAggregateIdFormat ec2:DescribeAvailabilityZones ec2:DescribeAwsNetworkPerformanceMetricSubscriptions ec2:DescribeBundleTasks ec2:DescribeByoipCidrs ec2:DescribeCapacityBlockExtensionHistory ec2:DescribeCapacityBlockExtensionOfferings ec2:DescribeCapacityBlockStatus ec2:DescribeCapacityBlocks ec2:DescribeCapacityManagerDataExports ec2:DescribeCapacityReservationBillingRequests ec2:DescribeCapacityReservationFleets ec2:DescribeCapacityReservationTopology ec2:DescribeCapacityReservations ec2:DescribeCarrierGateways ec2:DescribeClassicLinkInstances ec2:DescribeClientVpnAuthorizationRules ec2:DescribeClientVpnConnections ec2:DescribeClientVpnEndpoints ec2:DescribeClientVpnRoutes ec2:DescribeClientVpnTargetNetworks ec2:DescribeCoipPools ec2:DescribeConversionTasks ec2:DescribeCustomerGateways ec2:DescribeDeclarativePoliciesReports ec2:DescribeDhcpOptions ec2:DescribeEgressOnlyInternetGateways ec2:DescribeElasticGpus ec2:DescribeExportImageTasks ec2:DescribeExportTasks ec2:DescribeFastLaunchImages ec2:DescribeFastSnapshotRestores ec2:DescribeFleetHistory ec2:DescribeFleetInstances ec2:DescribeFleets ec2:DescribeFlowLogs ec2:DescribeFpgaImageAttribute ec2:DescribeFpgaImages ec2:DescribeHostReservationOfferings ec2:DescribeHostReservations ec2:DescribeHosts ec2:DescribeIamInstanceProfileAssociations ec2:DescribeIdFormat ec2:DescribeIdentityIdFormat ec2:DescribeImageAttribute ec2:DescribeImageReferences ec2:DescribeImageUsageReportEntries ec2:DescribeImageUsageReports ec2:DescribeImportImageTasks ec2:DescribeImportSnapshotTasks ec2:DescribeInstanceConnectEndpoints ec2:DescribeInstanceCreditSpecifications ec2:DescribeInstanceEventNotificationAttributes ec2:DescribeInstanceEventWindows ec2:DescribeInstanceImageMetadata ec2:DescribeInstanceSqlHaHistoryStates ec2:DescribeInstanceSqlHaStates ec2:DescribeInstanceTopology ec2:DescribeInstanceTypes ec2:DescribeInternetGateways ec2:DescribeIpamByoasn ec2:DescribeIpamExternalResourceVerificationTokens ec2:DescribeIpamPolicies ec2:DescribeIpamPools ec2:DescribeIpamPrefixListResolverTargets ec2:DescribeIpamPrefixListResolvers ec2:DescribeIpamResourceDiscoveries ec2:DescribeIpamResourceDiscoveryAssociations ec2:DescribeIpamScopes ec2:DescribeIpams ec2:DescribeIpv6Pools ec2:DescribeKeyPairs ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations ec2:DescribeLocalGatewayRouteTableVpcAssociations ec2:DescribeLocalGatewayRouteTables ec2:DescribeLocalGatewayVirtualInterfaceGroups ec2:DescribeLocalGatewayVirtualInterfaces ec2:DescribeLocalGateways ec2:DescribeLockedSnapshots ec2:DescribeMacHosts ec2:DescribeMacModificationTasks ec2:DescribeManagedPrefixLists ec2:DescribeMovingAddresses ec2:DescribeNatGateways ec2:DescribeNetworkAcls ec2:DescribeNetworkInsightsAccessScopeAnalyses ec2:DescribeNetworkInsightsAccessScopes ec2:DescribeNetworkInsightsAnalyses ec2:DescribeNetworkInsightsPaths ec2:DescribeNetworkInterfaceAttribute ec2:DescribeNetworkInterfacePermissions ec2:DescribeNetworkInterfaces ec2:DescribeOutpostLags ec2:DescribePlacementGroups ec2:DescribePrefixLists ec2:DescribePrincipalIdFormat ec2:DescribePublicIpv4Pools ec2:DescribeRegions ec2:DescribeReplaceRootVolumeTasks ec2:DescribeReservedInstances ec2:DescribeReservedInstancesListings ec2:DescribeReservedInstancesModifications ec2:DescribeReservedInstancesOfferings ec2:DescribeRouteServerEndpoints ec2:DescribeRouteServerPeers ec2:DescribeRouteServers ec2:DescribeRouteTables ec2:DescribeScheduledInstanceAvailability ec2:DescribeScheduledInstances ec2:DescribeSecurityGroupReferences ec2:DescribeSecurityGroupRules ec2:DescribeSecurityGroupVpcAssociations ec2:DescribeSecurityGroups ec2:DescribeServiceLinkVirtualInterfaces ec2:DescribeSnapshotAttribute ec2:DescribeSnapshotTierStatus ec2:DescribeSpotDatafeedSubscription ec2:DescribeSpotFleetInstances ec2:DescribeSpotFleetRequestHistory ec2:DescribeSpotFleetRequests ec2:DescribeSpotInstanceRequests ec2:DescribeSpotPriceHistory ec2:DescribeStaleSecurityGroups ec2:DescribeStoreImageTasks ec2:DescribeTrafficMirrorFilterRules ec2:DescribeTrafficMirrorFilters ec2:DescribeTrafficMirrorSessions ec2:DescribeTrafficMirrorTargets ec2:DescribeTransitGatewayAttachments ec2:DescribeTransitGatewayConnectPeers ec2:DescribeTransitGatewayConnects ec2:DescribeTransitGatewayMeteringPolicies ec2:DescribeTransitGatewayMulticastDomains ec2:DescribeTransitGatewayPeeringAttachments ec2:DescribeTransitGatewayPolicyTables ec2:DescribeTransitGatewayRouteTableAnnouncements ec2:DescribeTransitGatewayRouteTables ec2:DescribeTransitGatewayVpcAttachments ec2:DescribeTransitGateways ec2:DescribeTrunkInterfaceAssociations ec2:DescribeVerifiedAccessEndpoints ec2:DescribeVerifiedAccessGroups ec2:DescribeVerifiedAccessInstanceLoggingConfigurations ec2:DescribeVerifiedAccessInstances ec2:DescribeVerifiedAccessTrustProviders ec2:DescribeVolumeAttribute ec2:DescribeVolumeStatus ec2:DescribeVolumes ec2:DescribeVolumesModifications ec2:DescribeVpcAttribute ec2:DescribeVpcBlockPublicAccessExclusions ec2:DescribeVpcBlockPublicAccessOptions ec2:DescribeVpcClassicLink ec2:DescribeVpcClassicLinkDnsSupport ec2:DescribeVpcEncryptionControls ec2:DescribeVpcEndpointAssociations ec2:DescribeVpcEndpointConnectionNotifications ec2:DescribeVpcEndpointConnections ec2:DescribeVpcEndpointServiceConfigurations ec2:DescribeVpcEndpointServicePermissions ec2:DescribeVpcEndpointServices ec2:DescribeVpcEndpoints ec2:DescribeVpcPeeringConnections ec2:DescribeVpcs ec2:DescribeVpnConcentrators ec2:DescribeVpnConnections ec2:DescribeVpnGateways ec2:DetachClassicLinkVpc ec2:DetachInternetGateway ec2:DetachNetworkInterface ec2:DetachVerifiedAccessTrustProvider ec2:DetachVolume ec2:DetachVpnGateway ec2:DisableAddressTransfer ec2:DisableAllowedImagesSettings ec2:DisableAwsNetworkPerformanceMetricSubscription ec2:DisableCapacityManager ec2:DisableEbsEncryptionByDefault ec2:DisableFastLaunch ec2:DisableFastSnapshotRestores ec2:DisableImage ec2:DisableImageBlockPublicAccess ec2:DisableImageDeprecation ec2:DisableImageDeregistrationProtection ec2:DisableInstanceSqlHaStandbyDetections ec2:DisableIpamOrganizationAdminAccount ec2:DisableIpamPolicy ec2:DisableRouteServerPropagation ec2:DisableSerialConsoleAccess ec2:DisableSnapshotBlockPublicAccess ec2:DisableTransitGatewayRouteTablePropagation ec2:DisableVgwRoutePropagation ec2:DisableVpcClassicLink ec2:DisableVpcClassicLinkDnsSupport ec2:DisassociateAddress ec2:DisassociateCapacityReservationBillingOwner ec2:DisassociateClientVpnTargetNetwork ec2:DisassociateEnclaveCertificateIamRole ec2:DisassociateIamInstanceProfile ec2:DisassociateInstanceEventWindow ec2:DisassociateIpamByoasn ec2:DisassociateIpamResourceDiscovery ec2:DisassociateNatGatewayAddress ec2:DisassociateRouteServer ec2:DisassociateRouteTable ec2:DisassociateSecurityGroupVpc ec2:DisassociateSubnetCidrBlock ec2:DisassociateTransitGatewayMulticastDomain ec2:DisassociateTransitGatewayPolicyTable ec2:DisassociateTransitGatewayRouteTable ec2:DisassociateTrunkInterface ec2:DisassociateVpcCidrBlock ec2:EnableAddressTransfer ec2:EnableAllowedImagesSettings ec2:EnableAwsNetworkPerformanceMetricSubscription ec2:EnableCapacityManager ec2:EnableEbsEncryptionByDefault ec2:EnableFastLaunch ec2:EnableFastSnapshotRestores ec2:EnableImage ec2:EnableImageBlockPublicAccess ec2:EnableImageDeprecation ec2:EnableImageDeregistrationProtection ec2:EnableInstanceSqlHaStandbyDetections ec2:EnableIpamOrganizationAdminAccount ec2:EnableIpamPolicy ec2:EnableReachabilityAnalyzerOrganizationSharing ec2:EnableRouteServerPropagation ec2:EnableSerialConsoleAccess ec2:EnableSnapshotBlockPublicAccess ec2:EnableTransitGatewayRouteTablePropagation ec2:EnableVgwRoutePropagation ec2:EnableVolumeIO ec2:EnableVpcClassicLink ec2:EnableVpcClassicLinkDnsSupport ec2:ExportClientVpnClientCertificateRevocationList ec2:ExportClientVpnClientConfiguration ec2:ExportImage ec2:ExportTransitGatewayRoutes ec2:ExportVerifiedAccessInstanceClientConfiguration ec2:GetActiveVpnTunnelStatus ec2:GetAllowedImagesSettings ec2:GetAssociatedEnclaveCertificateIamRoles ec2:GetAssociatedIpv6PoolCidrs ec2:GetAwsNetworkPerformanceData ec2:GetCapacityManagerAttributes ec2:GetCapacityManagerMetricData ec2:GetCapacityManagerMetricDimensions ec2:GetCapacityReservationUsage ec2:GetCoipPoolUsage ec2:GetConsoleOutput ec2:GetConsoleScreenshot ec2:GetDeclarativePoliciesReportSummary ec2:GetDefaultCreditSpecification ec2:GetEbsDefaultKmsKeyId ec2:GetEbsEncryptionByDefault ec2:GetEnabledIpamPolicy ec2:GetFlowLogsIntegrationTemplate ec2:GetGroupsForCapacityReservation ec2:GetHostReservationPurchasePreview ec2:GetImageAncestry ec2:GetImageBlockPublicAccessState ec2:GetInstanceMetadataDefaults ec2:GetInstanceTpmEkPub ec2:GetInstanceTypesFromInstanceRequirements ec2:GetInstanceUefiData ec2:GetIpamAddressHistory ec2:GetIpamDiscoveredAccounts ec2:GetIpamDiscoveredPublicAddresses ec2:GetIpamDiscoveredResourceCidrs ec2:GetIpamPolicyAllocationRules ec2:GetIpamPolicyOrganizationTargets ec2:GetIpamPoolAllocations ec2:GetIpamPoolCidrs ec2:GetIpamPrefixListResolverRules ec2:GetIpamPrefixListResolverVersionEntries ec2:GetIpamPrefixListResolverVersions ec2:GetIpamResourceCidrs ec2:GetLaunchTemplateData ec2:GetManagedPrefixListAssociations ec2:GetManagedPrefixListEntries ec2:GetNetworkInsightsAccessScopeAnalysisFindings ec2:GetNetworkInsightsAccessScopeContent ec2:GetPasswordData ec2:GetReservedInstancesExchangeQuote ec2:GetRouteServerAssociations ec2:GetRouteServerPropagations ec2:GetRouteServerRoutingDatabase ec2:GetSecurityGroupsForVpc ec2:GetSerialConsoleAccessStatus ec2:GetSnapshotBlockPublicAccessState ec2:GetSpotPlacementScores ec2:GetSubnetCidrReservations ec2:GetTransitGatewayAttachmentPropagations ec2:GetTransitGatewayMeteringPolicyEntries ec2:GetTransitGatewayMulticastDomainAssociations ec2:GetTransitGatewayPolicyTableAssociations ec2:GetTransitGatewayPolicyTableEntries ec2:GetTransitGatewayPrefixListReferences ec2:GetTransitGatewayRouteTableAssociations ec2:GetTransitGatewayRouteTablePropagations ec2:GetVerifiedAccessEndpointPolicy ec2:GetVerifiedAccessEndpointTargets ec2:GetVerifiedAccessGroupPolicy ec2:GetVpcResourcesBlockingEncryptionEnforcement ec2:GetVpnConnectionDeviceSampleConfiguration ec2:GetVpnConnectionDeviceTypes ec2:GetVpnTunnelReplacementStatus ec2:ImportClientVpnClientCertificateRevocationList ec2:ImportImage ec2:ImportInstance ec2:ImportKeyPair ec2:ImportSnapshot ec2:ImportVolume ec2:InjectVolumeIOLatency ec2:ListImagesInRecycleBin ec2:ListSnapshotsInRecycleBin ec2:ListVolumesInRecycleBin ec2:LockSnapshot ec2:ModifyAddressAttribute ec2:ModifyAvailabilityZoneGroup ec2:ModifyCapacityReservation ec2:ModifyCapacityReservationFleet ec2:ModifyClientVpnEndpoint ec2:ModifyDefaultCreditSpecification ec2:ModifyEbsDefaultKmsKeyId ec2:ModifyFleet ec2:ModifyFpgaImageAttribute ec2:ModifyHosts ec2:ModifyIdFormat ec2:ModifyIdentityIdFormat ec2:ModifyImageAttribute ec2:ModifyInstanceAttribute ec2:ModifyInstanceCapacityReservationAttributes ec2:ModifyInstanceConnectEndpoint ec2:ModifyInstanceCpuOptions ec2:ModifyInstanceCreditSpecification ec2:ModifyInstanceEventStartTime ec2:ModifyInstanceEventWindow ec2:ModifyInstanceMaintenanceOptions ec2:ModifyInstanceMetadataDefaults ec2:ModifyInstanceMetadataOptions ec2:ModifyInstanceNetworkPerformanceOptions ec2:ModifyInstancePlacement ec2:ModifyIpam ec2:ModifyIpamPolicyAllocationRules ec2:ModifyIpamPool ec2:ModifyIpamPrefixListResolver ec2:ModifyIpamPrefixListResolverTarget ec2:ModifyIpamResourceCidr ec2:ModifyIpamResourceDiscovery ec2:ModifyIpamScope ec2:ModifyLaunchTemplate ec2:ModifyLocalGatewayRoute ec2:ModifyManagedPrefixList ec2:ModifyNetworkInterfaceAttribute ec2:ModifyPrivateDnsNameOptions ec2:ModifyPublicIpDnsNameOptions ec2:ModifyReservedInstances ec2:ModifyRouteServer ec2:ModifySecurityGroupRules ec2:ModifySnapshotAttribute ec2:ModifySnapshotTier ec2:ModifySpotFleetRequest ec2:ModifySubnetAttribute ec2:ModifyTrafficMirrorFilterNetworkServices ec2:ModifyTrafficMirrorFilterRule ec2:ModifyTrafficMirrorSession ec2:ModifyTransitGateway ec2:ModifyTransitGatewayMeteringPolicy ec2:ModifyTransitGatewayPrefixListReference ec2:ModifyTransitGatewayVpcAttachment ec2:ModifyVerifiedAccessEndpoint ec2:ModifyVerifiedAccessEndpointPolicy ec2:ModifyVerifiedAccessGroup ec2:ModifyVerifiedAccessGroupPolicy ec2:ModifyVerifiedAccessInstance ec2:ModifyVerifiedAccessInstanceLoggingConfiguration ec2:ModifyVerifiedAccessTrustProvider ec2:ModifyVolume ec2:ModifyVolumeAttribute ec2:ModifyVpcAttribute ec2:ModifyVpcBlockPublicAccessExclusion ec2:ModifyVpcBlockPublicAccessOptions ec2:ModifyVpcEncryptionControl ec2:ModifyVpcEndpoint ec2:ModifyVpcEndpointConnectionNotification ec2:ModifyVpcEndpointServiceConfiguration ec2:ModifyVpcEndpointServicePayerResponsibility ec2:ModifyVpcEndpointServicePermissions ec2:ModifyVpcPeeringConnectionOptions ec2:ModifyVpcTenancy ec2:ModifyVpnConnection ec2:ModifyVpnConnectionOptions ec2:ModifyVpnTunnelCertificate ec2:ModifyVpnTunnelOptions ec2:MonitorInstances ec2:MoveAddressToVpc ec2:MoveByoipCidrToIpam ec2:MoveCapacityReservationInstances ec2:ProvisionByoipCidr ec2:ProvisionIpamByoasn ec2:ProvisionIpamPoolCidr ec2:ProvisionPublicIpv4PoolCidr ec2:PurchaseCapacityBlockExtension ec2:PurchaseHostReservation ec2:PurchaseReservedInstancesOffering ec2:PurchaseScheduledInstances ec2:RebootInstances ec2:RegisterImage ec2:RegisterInstanceEventNotificationAttributes ec2:RegisterTransitGatewayMulticastGroupMembers ec2:RegisterTransitGatewayMulticastGroupSources ec2:RejectCapacityReservationBillingOwnership ec2:RejectTransitGatewayMulticastDomainAssociations ec2:RejectTransitGatewayPeeringAttachment ec2:RejectTransitGatewayVpcAttachment ec2:RejectVpcEndpointConnections ec2:RejectVpcPeeringConnection ec2:ReleaseAddress ec2:ReleaseHosts ec2:ReleaseIpamPoolAllocation ec2:ReplaceIamInstanceProfileAssociation ec2:ReplaceImageCriteriaInAllowedImagesSettings ec2:ReplaceNetworkAclAssociation ec2:ReplaceNetworkAclEntry ec2:ReplaceRoute ec2:ReplaceRouteTableAssociation ec2:ReplaceTransitGatewayRoute ec2:ReplaceVpnTunnel ec2:ReportInstanceStatus ec2:RequestSpotFleet ec2:RequestSpotInstances ec2:ResetAddressAttribute ec2:ResetEbsDefaultKmsKeyId ec2:ResetFpgaImageAttribute ec2:ResetImageAttribute ec2:ResetInstanceAttribute ec2:ResetNetworkInterfaceAttribute ec2:ResetSnapshotAttribute ec2:RestoreAddressToClassic ec2:RestoreImageFromRecycleBin ec2:RestoreManagedPrefixListVersion ec2:RestoreSnapshotFromRecycleBin ec2:RestoreSnapshotTier ec2:RestoreVolumeFromRecycleBin ec2:RevokeClientVpnIngress ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress ec2:RunInstances ec2:RunScheduledInstances ec2:SearchLocalGatewayRoutes ec2:SearchTransitGatewayMulticastGroups ec2:SearchTransitGatewayRoutes ec2:SendDiagnosticInterrupt ec2:StartDeclarativePoliciesReport ec2:StartInstances ec2:StartNetworkInsightsAccessScopeAnalysis ec2:StartNetworkInsightsAnalysis ec2:StartVpcEndpointServicePrivateDnsVerification ec2:TerminateClientVpnConnections ec2:UnassignIpv6Addresses ec2:UnassignPrivateIpAddresses ec2:UnassignPrivateNatGatewayAddress ec2:UnlockSnapshot ec2:UnmonitorInstances ec2:UpdateCapacityManagerOrganizationsAccess ec2:UpdateInterruptibleCapacityReservationAllocation ec2:UpdateSecurityGroupRuleDescriptionsEgress ec2:UpdateSecurityGroupRuleDescriptionsIngress ec2:WithdrawByoipCidr |
| ecr | ecr:BatchCheckLayerAvailability ecr:BatchDeleteImage ecr:BatchGetImage ecr:BatchGetRepositoryScanningConfiguration ecr:CompleteLayerUpload ecr:CreatePullThroughCacheRule ecr:CreateRepositoryCreationTemplate ecr:DeleteLifecyclePolicy ecr:DeletePullThroughCacheRule ecr:DeleteRegistryPolicy ecr:DeleteRepository ecr:DeleteRepositoryCreationTemplate ecr:DeleteRepositoryPolicy ecr:DeleteSigningConfiguration ecr:DescribeImageReplicationStatus ecr:DescribeImageScanFindings ecr:DescribeImages ecr:DescribePullThroughCacheRules ecr:DescribeRegistry ecr:DescribeRepositories ecr:DescribeRepositoryCreationTemplates ecr:GetAccountSetting ecr:GetAuthorizationToken ecr:GetDownloadUrlForLayer ecr:GetLifecyclePolicy ecr:GetLifecyclePolicyPreview ecr:GetRegistryPolicy ecr:GetRegistryScanningConfiguration ecr:GetRepositoryPolicy ecr:GetSigningConfiguration ecr:InitiateLayerUpload ecr:ListImages ecr:ListPullTimeUpdateExclusions ecr:PutAccountSetting ecr:PutImage ecr:PutImageScanningConfiguration ecr:PutRegistryPolicy ecr:PutRegistryScanningConfiguration ecr:PutReplicationConfiguration ecr:StartImageScan ecr:StartLifecyclePolicyPreview ecr:UpdatePullThroughCacheRule ecr:UpdateRepositoryCreationTemplate ecr:UploadLayerPart ecr:ValidatePullThroughCacheRule |
| ecr-public | ecr-public:BatchCheckLayerAvailability ecr-public:BatchDeleteImage ecr-public:CompleteLayerUpload ecr-public:CreateRepository ecr-public:DeleteRepository ecr-public:DeleteRepositoryPolicy ecr-public:DescribeImages ecr-public:DescribeRegistries ecr-public:DescribeRepositories ecr-public:GetAuthorizationToken ecr-public:GetRegistryCatalogData ecr-public:GetRepositoryCatalogData ecr-public:GetRepositoryPolicy ecr-public:InitiateLayerUpload ecr-public:PutImage ecr-public:PutRegistryCatalogData ecr-public:PutRepositoryCatalogData ecr-public:SetRepositoryPolicy ecr-public:UploadLayerPart |
| ecs | ecs:CreateCapacityProvider ecs:CreateCluster ecs:CreateService ecs:CreateTaskSet ecs:DeleteAccountSetting ecs:DeleteAttributes ecs:DeleteCapacityProvider ecs:DeleteCluster ecs:DeleteExpressGatewayService ecs:DeleteService ecs:DeleteTaskDefinitions ecs:DeleteTaskSet ecs:DeregisterContainerInstance ecs:DeregisterTaskDefinition ecs:DescribeCapacityProviders ecs:DescribeClusters ecs:DescribeContainerInstances ecs:DescribeExpressGatewayService ecs:DescribeServiceDeployments ecs:DescribeServiceRevisions ecs:DescribeServices ecs:DescribeTaskDefinition ecs:DescribeTaskSets ecs:DescribeTasks ecs:DiscoverPollEndpoint ecs:ExecuteCommand ecs:GetTaskProtection ecs:ListAccountSettings ecs:ListAttributes ecs:ListClusters ecs:ListContainerInstances ecs:ListServiceDeployments ecs:ListServices ecs:ListServicesByNamespace ecs:ListTaskDefinitionFamilies ecs:ListTaskDefinitions ecs:ListTasks ecs:PutAccountSetting ecs:PutAccountSettingDefault ecs:PutAttributes ecs:PutClusterCapacityProviders ecs:RegisterContainerInstance ecs:RunTask ecs:StartTask ecs:StopServiceDeployment ecs:StopTask ecs:SubmitAttachmentStateChanges ecs:SubmitContainerStateChange ecs:SubmitTaskStateChange ecs:UpdateCapacityProvider ecs:UpdateCluster ecs:UpdateClusterSettings ecs:UpdateContainerAgent ecs:UpdateContainerInstancesState ecs:UpdateExpressGatewayService ecs:UpdateService ecs:UpdateServicePrimaryTaskSet ecs:UpdateTaskProtection ecs:UpdateTaskSet |
| eks | eks:AssociateAccessPolicy eks:AssociateEncryptionConfig eks:AssociateIdentityProviderConfig eks:CreateAccessEntry eks:CreateAddon eks:CreateCluster eks:CreateEksAnywhereSubscription eks:CreateFargateProfile eks:CreateNodegroup eks:DeleteAccessEntry eks:DeleteAddon eks:DeleteCapability eks:DeleteCluster eks:DeleteEksAnywhereSubscription eks:DeleteFargateProfile eks:DeleteNodegroup eks:DeletePodIdentityAssociation eks:DeregisterCluster eks:DescribeAccessEntry eks:DescribeAddon eks:DescribeAddonConfiguration eks:DescribeAddonVersions eks:DescribeCapability eks:DescribeCluster eks:DescribeClusterVersions eks:DescribeEksAnywhereSubscription eks:DescribeFargateProfile eks:DescribeIdentityProviderConfig eks:DescribeInsight eks:DescribeInsightsRefresh eks:DescribeNodegroup eks:DescribePodIdentityAssociation eks:DescribeUpdate eks:DisassociateAccessPolicy eks:DisassociateIdentityProviderConfig eks:ListAccessEntries eks:ListAccessPolicies eks:ListAddons eks:ListAssociatedAccessPolicies eks:ListCapabilities eks:ListClusters eks:ListEksAnywhereSubscriptions eks:ListFargateProfiles eks:ListIdentityProviderConfigs eks:ListInsights eks:ListNodegroups eks:ListPodIdentityAssociations eks:ListUpdates eks:RegisterCluster eks:StartInsightsRefresh eks:UpdateAccessEntry eks:UpdateAddon eks:UpdateCapability eks:UpdateClusterConfig eks:UpdateClusterVersion eks:UpdateEksAnywhereSubscription eks:UpdateNodegroupConfig eks:UpdateNodegroupVersion eks:UpdatePodIdentityAssociation |
| elasticache | elasticache:AuthorizeCacheSecurityGroupIngress elasticache:BatchApplyUpdateAction elasticache:BatchStopUpdateAction elasticache:CompleteMigration elasticache:CopyServerlessCacheSnapshot elasticache:CopySnapshot elasticache:CreateCacheCluster elasticache:CreateCacheParameterGroup elasticache:CreateCacheSecurityGroup elasticache:CreateCacheSubnetGroup elasticache:CreateGlobalReplicationGroup elasticache:CreateReplicationGroup elasticache:CreateServerlessCache elasticache:CreateServerlessCacheSnapshot elasticache:CreateSnapshot elasticache:CreateUser elasticache:CreateUserGroup elasticache:DecreaseNodeGroupsInGlobalReplicationGroup elasticache:DecreaseReplicaCount elasticache:DeleteCacheCluster elasticache:DeleteCacheParameterGroup elasticache:DeleteCacheSecurityGroup elasticache:DeleteCacheSubnetGroup elasticache:DeleteGlobalReplicationGroup elasticache:DeleteReplicationGroup elasticache:DeleteServerlessCache elasticache:DeleteServerlessCacheSnapshot elasticache:DeleteSnapshot elasticache:DeleteUser elasticache:DeleteUserGroup elasticache:DescribeCacheClusters elasticache:DescribeCacheEngineVersions elasticache:DescribeCacheParameterGroups elasticache:DescribeCacheParameters elasticache:DescribeCacheSecurityGroups elasticache:DescribeCacheSubnetGroups elasticache:DescribeEngineDefaultParameters elasticache:DescribeEvents elasticache:DescribeGlobalReplicationGroups elasticache:DescribeReplicationGroups elasticache:DescribeReservedCacheNodes elasticache:DescribeReservedCacheNodesOfferings elasticache:DescribeServerlessCacheSnapshots elasticache:DescribeServerlessCaches elasticache:DescribeServiceUpdates elasticache:DescribeSnapshots elasticache:DescribeUpdateActions elasticache:DescribeUserGroups elasticache:DescribeUsers elasticache:DisassociateGlobalReplicationGroup elasticache:ExportServerlessCacheSnapshot elasticache:FailoverGlobalReplicationGroup elasticache:IncreaseNodeGroupsInGlobalReplicationGroup elasticache:IncreaseReplicaCount elasticache:ListAllowedNodeTypeModifications elasticache:ModifyCacheCluster elasticache:ModifyCacheParameterGroup elasticache:ModifyCacheSubnetGroup elasticache:ModifyGlobalReplicationGroup elasticache:ModifyReplicationGroup elasticache:ModifyReplicationGroupShardConfiguration elasticache:ModifyServerlessCache elasticache:ModifyUser elasticache:ModifyUserGroup elasticache:PurchaseReservedCacheNodesOffering elasticache:RebalanceSlotsInGlobalReplicationGroup elasticache:RebootCacheCluster elasticache:ResetCacheParameterGroup elasticache:RevokeCacheSecurityGroupIngress elasticache:StartMigration elasticache:TestFailover elasticache:TestMigration |
| elasticbeanstalk | elasticbeanstalk:AbortEnvironmentUpdate elasticbeanstalk:ApplyEnvironmentManagedAction elasticbeanstalk:AssociateEnvironmentOperationsRole elasticbeanstalk:CheckDNSAvailability elasticbeanstalk:ComposeEnvironments elasticbeanstalk:CreateApplication elasticbeanstalk:CreateApplicationVersion elasticbeanstalk:CreateConfigurationTemplate elasticbeanstalk:CreateEnvironment elasticbeanstalk:CreatePlatformVersion elasticbeanstalk:CreateStorageLocation elasticbeanstalk:DeleteApplication elasticbeanstalk:DeleteApplicationVersion elasticbeanstalk:DeleteConfigurationTemplate elasticbeanstalk:DeleteEnvironmentConfiguration elasticbeanstalk:DeletePlatformVersion elasticbeanstalk:DescribeAccountAttributes elasticbeanstalk:DescribeApplicationVersions elasticbeanstalk:DescribeApplications elasticbeanstalk:DescribeConfigurationOptions elasticbeanstalk:DescribeConfigurationSettings elasticbeanstalk:DescribeEnvironmentHealth elasticbeanstalk:DescribeEnvironmentManagedActionHistory elasticbeanstalk:DescribeEnvironmentManagedActions elasticbeanstalk:DescribeEnvironmentResources elasticbeanstalk:DescribeEnvironments elasticbeanstalk:DescribeEvents elasticbeanstalk:DescribeInstancesHealth elasticbeanstalk:DescribePlatformVersion elasticbeanstalk:DisassociateEnvironmentOperationsRole elasticbeanstalk:ListAvailableSolutionStacks elasticbeanstalk:ListPlatformBranches elasticbeanstalk:ListPlatformVersions elasticbeanstalk:RebuildEnvironment elasticbeanstalk:RequestEnvironmentInfo elasticbeanstalk:RestartAppServer elasticbeanstalk:RetrieveEnvironmentInfo elasticbeanstalk:SwapEnvironmentCNAMEs elasticbeanstalk:TerminateEnvironment elasticbeanstalk:UpdateApplication elasticbeanstalk:UpdateApplicationResourceLifecycle elasticbeanstalk:UpdateApplicationVersion elasticbeanstalk:UpdateConfigurationTemplate elasticbeanstalk:UpdateEnvironment elasticbeanstalk:ValidateConfigurationSettings |
| elasticfilesystem | elasticfilesystem:CreateAccessPoint elasticfilesystem:CreateFileSystem elasticfilesystem:CreateMountTarget elasticfilesystem:CreateReplicationConfiguration elasticfilesystem:DeleteAccessPoint elasticfilesystem:DeleteFileSystem elasticfilesystem:DeleteFileSystemPolicy elasticfilesystem:DeleteMountTarget elasticfilesystem:DeleteReplicationConfiguration elasticfilesystem:DescribeAccessPoints elasticfilesystem:DescribeAccountPreferences elasticfilesystem:DescribeBackupPolicy elasticfilesystem:DescribeFileSystemPolicy elasticfilesystem:DescribeFileSystems elasticfilesystem:DescribeLifecycleConfiguration elasticfilesystem:DescribeMountTargetSecurityGroups elasticfilesystem:DescribeMountTargets elasticfilesystem:DescribeReplicationConfigurations elasticfilesystem:ModifyMountTargetSecurityGroups elasticfilesystem:PutAccountPreferences elasticfilesystem:PutBackupPolicy elasticfilesystem:PutFileSystemPolicy elasticfilesystem:PutLifecycleConfiguration elasticfilesystem:UpdateFileSystem elasticfilesystem:UpdateFileSystemProtection |
| elasticloadbalancing | elasticloadbalancing:AddListenerCertificates elasticloadbalancing:AddTrustStoreRevocations elasticloadbalancing:ApplySecurityGroupsToLoadBalancer elasticloadbalancing:AttachLoadBalancerToSubnets elasticloadbalancing:ConfigureHealthCheck elasticloadbalancing:CreateAppCookieStickinessPolicy elasticloadbalancing:CreateLBCookieStickinessPolicy elasticloadbalancing:CreateListener elasticloadbalancing:CreateLoadBalancer elasticloadbalancing:CreateLoadBalancerListeners elasticloadbalancing:CreateLoadBalancerPolicy elasticloadbalancing:CreateRule elasticloadbalancing:CreateTargetGroup elasticloadbalancing:CreateTrustStore elasticloadbalancing:CreateWebACLAssociation elasticloadbalancing:DeleteListener elasticloadbalancing:DeleteLoadBalancer elasticloadbalancing:DeleteLoadBalancerListeners elasticloadbalancing:DeleteLoadBalancerPolicy elasticloadbalancing:DeleteRule elasticloadbalancing:DeleteSharedTrustStoreAssociation elasticloadbalancing:DeleteTargetGroup elasticloadbalancing:DeleteTrustStore elasticloadbalancing:DeleteWebACLAssociation elasticloadbalancing:DeregisterInstancesFromLoadBalancer elasticloadbalancing:DeregisterTargets elasticloadbalancing:DescribeAccountLimits elasticloadbalancing:DescribeCapacityReservation elasticloadbalancing:DescribeInstanceHealth elasticloadbalancing:DescribeListenerAttributes elasticloadbalancing:DescribeListenerCertificates elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeLoadBalancerPolicyTypes elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeRules elasticloadbalancing:DescribeSSLPolicies elasticloadbalancing:DescribeTargetGroupAttributes elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth elasticloadbalancing:DescribeTrustStoreAssociations elasticloadbalancing:DescribeTrustStoreRevocations elasticloadbalancing:DescribeTrustStores elasticloadbalancing:DescribeWebACLAssociation elasticloadbalancing:DetachLoadBalancerFromSubnets elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer elasticloadbalancing:GetLoadBalancerWebACL elasticloadbalancing:GetResourcePolicy elasticloadbalancing:GetTrustStoreCaCertificatesBundle elasticloadbalancing:GetTrustStoreRevocationContent elasticloadbalancing:ModifyCapacityReservation elasticloadbalancing:ModifyIpPools elasticloadbalancing:ModifyListener elasticloadbalancing:ModifyLoadBalancerAttributes elasticloadbalancing:ModifyRule elasticloadbalancing:ModifyTargetGroup elasticloadbalancing:ModifyTargetGroupAttributes elasticloadbalancing:ModifyTrustStore elasticloadbalancing:RegisterInstancesWithLoadBalancer elasticloadbalancing:RegisterTargets elasticloadbalancing:RemoveListenerCertificates elasticloadbalancing:RemoveTrustStoreRevocations elasticloadbalancing:SetIpAddressType elasticloadbalancing:SetLoadBalancerListenerSSLCertificate elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer elasticloadbalancing:SetLoadBalancerPoliciesOfListener elasticloadbalancing:SetRulePriorities elasticloadbalancing:SetSecurityGroups elasticloadbalancing:SetSubnets |
| elastictranscoder | elastictranscoder:CancelJob elastictranscoder:CreateJob elastictranscoder:CreatePipeline elastictranscoder:CreatePreset elastictranscoder:DeletePipeline elastictranscoder:DeletePreset elastictranscoder:ListJobsByPipeline elastictranscoder:ListJobsByStatus elastictranscoder:ListPipelines elastictranscoder:ListPresets elastictranscoder:ReadJob elastictranscoder:ReadPipeline elastictranscoder:ReadPreset elastictranscoder:TestRole elastictranscoder:UpdatePipeline elastictranscoder:UpdatePipelineNotifications elastictranscoder:UpdatePipelineStatus |
| emr-containers | emr-containers:CancelJobRun emr-containers:CreateJobTemplate emr-containers:CreateManagedEndpoint emr-containers:CreateSecurityConfiguration emr-containers:CreateVirtualCluster emr-containers:DeleteJobTemplate emr-containers:DeleteManagedEndpoint emr-containers:DeleteVirtualCluster emr-containers:DescribeJobRun emr-containers:DescribeJobTemplate emr-containers:DescribeManagedEndpoint emr-containers:DescribeSecurityConfiguration emr-containers:DescribeVirtualCluster emr-containers:GetManagedEndpointSessionCredentials emr-containers:ListJobRuns emr-containers:ListJobTemplates emr-containers:ListManagedEndpoints emr-containers:ListSecurityConfigurations emr-containers:ListVirtualClusters emr-containers:StartJobRun |
| emr-serverless | emr-serverless:CancelJobRun emr-serverless:CreateApplication emr-serverless:DeleteApplication emr-serverless:GetApplication emr-serverless:GetDashboardForJobRun emr-serverless:GetJobRun emr-serverless:ListApplications emr-serverless:ListJobRunAttempts emr-serverless:ListJobRuns emr-serverless:StartApplication emr-serverless:StartJobRun emr-serverless:StopApplication emr-serverless:UpdateApplication |
| es | es:AcceptInboundConnection es:AcceptInboundCrossClusterSearchConnection es:AssociatePackage es:AuthorizeVpcEndpointAccess es:CancelElasticsearchServiceSoftwareUpdate es:CancelServiceSoftwareUpdate es:CreateDomain es:CreateElasticsearchDomain es:CreateIndex es:CreateOutboundConnection es:CreateOutboundCrossClusterSearchConnection es:CreatePackage es:CreateVpcEndpoint es:DeleteDomain es:DeleteElasticsearchDomain es:DeleteElasticsearchServiceRole es:DeleteInboundConnection es:DeleteInboundCrossClusterSearchConnection es:DeleteIndex es:DeleteOutboundConnection es:DeleteOutboundCrossClusterSearchConnection es:DeletePackage es:DeleteVpcEndpoint es:DescribeDomain es:DescribeDomainAutoTunes es:DescribeDomainChangeProgress es:DescribeDomainConfig es:DescribeDomainHealth es:DescribeDomainNodes es:DescribeDomains es:DescribeDryRunProgress es:DescribeElasticsearchDomain es:DescribeElasticsearchDomainConfig es:DescribeElasticsearchDomains es:DescribeElasticsearchInstanceTypeLimits es:DescribeInboundConnections es:DescribeInboundCrossClusterSearchConnections es:DescribeInstanceTypeLimits es:DescribeOutboundConnections es:DescribeOutboundCrossClusterSearchConnections es:DescribePackages es:DescribeReservedElasticsearchInstanceOfferings es:DescribeReservedElasticsearchInstances es:DescribeReservedInstanceOfferings es:DescribeReservedInstances es:DescribeVpcEndpoints es:DissociatePackage es:DissociatePackages es:GetCompatibleElasticsearchVersions es:GetCompatibleVersions es:GetDataSource es:GetDomainMaintenanceStatus es:GetPackageVersionHistory es:GetUpgradeHistory es:GetUpgradeStatus es:ListDataSources es:ListDomainNames es:ListDomainsForPackage es:ListElasticsearchInstanceTypes es:ListElasticsearchVersions es:ListInstanceTypeDetails es:ListPackagesForDomain es:ListScheduledActions es:ListVersions es:ListVpcEndpointAccess es:ListVpcEndpoints es:ListVpcEndpointsForDomain es:PurchaseReservedElasticsearchInstanceOffering es:PurchaseReservedInstanceOffering es:RejectInboundConnection es:RejectInboundCrossClusterSearchConnection es:RevokeVpcEndpointAccess es:StartDomainMaintenance es:StartElasticsearchServiceSoftwareUpdate es:StartServiceSoftwareUpdate es:UpdateDataSource es:UpdateDomainConfig es:UpdateElasticsearchDomainConfig es:UpdateIndex es:UpdatePackage es:UpdatePackageScope es:UpdateScheduledAction es:UpdateVpcEndpoint es:UpgradeDomain es:UpgradeElasticsearchDomain |
| events | events:ActivateEventSource events:CancelReplay events:CreateApiDestination events:CreateArchive events:CreateConnection events:CreateEndpoint events:CreateEventBus events:CreatePartnerEventSource events:DeactivateEventSource events:DeauthorizeConnection events:DeleteApiDestination events:DeleteArchive events:DeleteConnection events:DeleteEndpoint events:DeleteEventBus events:DeletePartnerEventSource events:DeleteRule events:DescribeApiDestination events:DescribeArchive events:DescribeConnection events:DescribeEndpoint events:DescribeEventBus events:DescribeEventSource events:DescribePartnerEventSource events:DescribeReplay events:DescribeRule events:DisableRule events:EnableRule events:ListApiDestinations events:ListArchives events:ListConnections events:ListEndpoints events:ListEventBuses events:ListEventSources events:ListPartnerEventSourceAccounts events:ListPartnerEventSources events:ListReplays events:ListRuleNamesByTarget events:ListRules events:ListTargetsByRule events:PutPermission events:PutRule events:PutTargets events:RemovePermission events:RemoveTargets events:StartReplay events:TestEventPattern events:UpdateApiDestination events:UpdateArchive events:UpdateConnection events:UpdateEndpoint events:UpdateEventBus |
| evidently | evidently:CreateExperiment evidently:CreateFeature evidently:CreateLaunch evidently:CreateProject evidently:CreateSegment evidently:DeleteExperiment evidently:DeleteFeature evidently:DeleteLaunch evidently:DeleteProject evidently:DeleteSegment evidently:GetExperiment evidently:GetExperimentResults evidently:GetFeature evidently:GetLaunch evidently:GetProject evidently:GetSegment evidently:ListExperiments evidently:ListFeatures evidently:ListLaunches evidently:ListProjects evidently:ListSegmentReferences evidently:ListSegments evidently:StartExperiment evidently:StartLaunch evidently:StopExperiment evidently:StopLaunch evidently:TestSegmentPattern evidently:UpdateExperiment evidently:UpdateFeature evidently:UpdateLaunch evidently:UpdateProject evidently:UpdateProjectDataDelivery |
| finspace | finspace:CreateEnvironment finspace:CreateKxChangeset finspace:CreateKxCluster finspace:CreateKxDatabase finspace:CreateKxDataview finspace:CreateKxEnvironment finspace:CreateKxScalingGroup finspace:CreateKxUser finspace:CreateKxVolume finspace:CreateUser finspace:DeleteEnvironment finspace:DeleteKxCluster finspace:DeleteKxClusterNode finspace:DeleteKxDatabase finspace:DeleteKxDataview finspace:DeleteKxEnvironment finspace:DeleteKxScalingGroup finspace:DeleteKxUser finspace:DeleteKxVolume finspace:GetEnvironment finspace:GetKxChangeset finspace:GetKxCluster finspace:GetKxConnectionString finspace:GetKxDatabase finspace:GetKxDataview finspace:GetKxEnvironment finspace:GetKxScalingGroup finspace:GetKxUser finspace:GetKxVolume finspace:GetLoadSampleDataSetGroupIntoEnvironmentStatus finspace:GetUser finspace:ListEnvironments finspace:ListKxChangesets finspace:ListKxClusterNodes finspace:ListKxClusters finspace:ListKxDatabases finspace:ListKxDataviews finspace:ListKxEnvironments finspace:ListKxScalingGroups finspace:ListKxUsers finspace:ListKxVolumes finspace:ListUsers finspace:LoadSampleDataSetGroupIntoEnvironment finspace:ResetUserPassword finspace:UpdateEnvironment finspace:UpdateKxClusterCodeConfiguration finspace:UpdateKxClusterDatabases finspace:UpdateKxDatabase finspace:UpdateKxDataview finspace:UpdateKxEnvironment finspace:UpdateKxEnvironmentNetwork finspace:UpdateKxUser finspace:UpdateKxVolume finspace:UpdateUser |
| firehose | firehose:CreateDeliveryStream firehose:DeleteDeliveryStream firehose:DescribeDeliveryStream firehose:ListDeliveryStreams firehose:StartDeliveryStreamEncryption firehose:StopDeliveryStreamEncryption firehose:UpdateDestination |
| fis | fis:CreateExperimentTemplate fis:CreateTargetAccountConfiguration fis:DeleteExperimentTemplate fis:DeleteTargetAccountConfiguration fis:GetAction fis:GetExperiment fis:GetExperimentTargetAccountConfiguration fis:GetExperimentTemplate fis:GetSafetyLever fis:GetTargetAccountConfiguration fis:GetTargetResourceType fis:ListActions fis:ListExperimentResolvedTargets fis:ListExperimentTargetAccountConfigurations fis:ListExperimentTemplates fis:ListExperiments fis:ListTargetAccountConfigurations fis:ListTargetResourceTypes fis:StartExperiment fis:StopExperiment fis:UpdateExperimentTemplate fis:UpdateSafetyLeverState fis:UpdateTargetAccountConfiguration |
| fms | fms:AssociateAdminAccount fms:AssociateThirdPartyFirewall fms:BatchAssociateResource fms:BatchDisassociateResource fms:DeleteAppsList fms:DeleteNotificationChannel fms:DeletePolicy fms:DeleteProtocolsList fms:DeleteResourceSet fms:DisassociateAdminAccount fms:DisassociateThirdPartyFirewall fms:GetAdminAccount fms:GetAdminScope fms:GetAppsList fms:GetComplianceDetail fms:GetNotificationChannel fms:GetPolicy fms:GetProtectionStatus fms:GetProtocolsList fms:GetResourceSet fms:GetThirdPartyFirewallAssociationStatus fms:GetViolationDetails fms:ListAdminAccountsForOrganization fms:ListAdminsManagingAccount fms:ListAppsLists fms:ListComplianceStatus fms:ListDiscoveredResources fms:ListMemberAccounts fms:ListPolicies fms:ListProtocolsLists fms:ListResourceSetResources fms:ListResourceSets fms:ListThirdPartyFirewallFirewallPolicies fms:PutAdminAccount fms:PutAppsList fms:PutNotificationChannel fms:PutPolicy fms:PutProtocolsList fms:PutResourceSet |
| frauddetector | frauddetector:BatchCreateVariable frauddetector:BatchGetVariable frauddetector:CancelBatchImportJob frauddetector:CancelBatchPredictionJob frauddetector:CreateBatchImportJob frauddetector:CreateBatchPredictionJob frauddetector:CreateDetectorVersion frauddetector:CreateList frauddetector:CreateModel frauddetector:CreateModelVersion frauddetector:CreateRule frauddetector:CreateVariable frauddetector:DeleteBatchImportJob frauddetector:DeleteBatchPredictionJob frauddetector:DeleteDetector frauddetector:DeleteDetectorVersion frauddetector:DeleteEntityType frauddetector:DeleteEvent frauddetector:DeleteEventType frauddetector:DeleteEventsByEventType frauddetector:DeleteExternalModel frauddetector:DeleteLabel frauddetector:DeleteList frauddetector:DeleteModel frauddetector:DeleteModelVersion frauddetector:DeleteOutcome frauddetector:DeleteRule frauddetector:DeleteVariable frauddetector:DescribeDetector frauddetector:DescribeModelVersions frauddetector:GetBatchImportJobs frauddetector:GetBatchPredictionJobs frauddetector:GetDeleteEventsByEventTypeStatus frauddetector:GetDetectorVersion frauddetector:GetDetectors frauddetector:GetEntityTypes frauddetector:GetEvent frauddetector:GetEventPrediction frauddetector:GetEventPredictionMetadata frauddetector:GetEventTypes frauddetector:GetExternalModels frauddetector:GetKMSEncryptionKey frauddetector:GetLabels frauddetector:GetListElements frauddetector:GetListsMetadata frauddetector:GetModelVersion frauddetector:GetModels frauddetector:GetOutcomes frauddetector:GetRules frauddetector:GetVariables frauddetector:ListEventPredictions frauddetector:PutDetector frauddetector:PutEntityType frauddetector:PutEventType frauddetector:PutExternalModel frauddetector:PutKMSEncryptionKey frauddetector:PutLabel frauddetector:PutOutcome frauddetector:SendEvent frauddetector:UpdateDetectorVersion frauddetector:UpdateDetectorVersionMetadata frauddetector:UpdateDetectorVersionStatus frauddetector:UpdateEventLabel frauddetector:UpdateList frauddetector:UpdateModel frauddetector:UpdateModelVersion frauddetector:UpdateModelVersionStatus frauddetector:UpdateRuleMetadata frauddetector:UpdateRuleVersion frauddetector:UpdateVariable |
| fsx | fsx:AssociateFileSystemAliases fsx:CancelDataRepositoryTask fsx:CopyBackup fsx:CreateDataRepositoryTask fsx:CreateFileCache fsx:CreateFileSystem fsx:CreateFileSystemFromBackup fsx:CreateSnapshot fsx:CreateStorageVirtualMachine fsx:CreateVolume fsx:CreateVolumeFromBackup fsx:DeleteBackup fsx:DeleteFileCache fsx:DeleteFileSystem fsx:DeleteSnapshot fsx:DeleteStorageVirtualMachine fsx:DeleteVolume fsx:DescribeBackups fsx:DescribeDataRepositoryAssociations fsx:DescribeDataRepositoryTasks fsx:DescribeFileCaches fsx:DescribeFileSystemAliases fsx:DescribeFileSystems fsx:DescribeS3AccessPointAttachments fsx:DescribeSharedVpcConfiguration fsx:DescribeSnapshots fsx:DescribeStorageVirtualMachines fsx:DescribeVolumes fsx:DetachAndDeleteS3AccessPoint fsx:DisassociateFileSystemAliases fsx:ReleaseFileSystemNfsV3Locks fsx:RestoreVolumeFromSnapshot fsx:StartMisconfiguredStateRecovery fsx:UpdateDataRepositoryAssociation fsx:UpdateFileCache fsx:UpdateFileSystem fsx:UpdateSharedVpcConfiguration fsx:UpdateSnapshot fsx:UpdateStorageVirtualMachine fsx:UpdateVolume |
| gamelift | gamelift:AcceptMatch gamelift:ClaimGameServer gamelift:CreateAlias gamelift:CreateBuild gamelift:CreateContainerGroupDefinition gamelift:CreateFleet gamelift:CreateFleetLocations gamelift:CreateGameServerGroup gamelift:CreateGameSession gamelift:CreateGameSessionQueue gamelift:CreateLocation gamelift:CreateMatchmakingConfiguration gamelift:CreateMatchmakingRuleSet gamelift:CreatePlayerSession gamelift:CreatePlayerSessions gamelift:CreateScript gamelift:CreateVpcPeeringAuthorization gamelift:CreateVpcPeeringConnection gamelift:DeleteAlias gamelift:DeleteBuild gamelift:DeleteContainerGroupDefinition gamelift:DeleteFleet gamelift:DeleteFleetLocations gamelift:DeleteGameServerGroup gamelift:DeleteGameSessionQueue gamelift:DeleteLocation gamelift:DeleteMatchmakingConfiguration gamelift:DeleteMatchmakingRuleSet gamelift:DeleteScalingPolicy gamelift:DeleteScript gamelift:DeleteVpcPeeringAuthorization gamelift:DeleteVpcPeeringConnection gamelift:DeregisterCompute gamelift:DeregisterGameServer gamelift:DescribeAlias gamelift:DescribeBuild gamelift:DescribeCompute gamelift:DescribeContainerFleet gamelift:DescribeContainerGroupDefinition gamelift:DescribeEC2InstanceLimits gamelift:DescribeFleetAttributes gamelift:DescribeFleetCapacity gamelift:DescribeFleetEvents gamelift:DescribeFleetLocationAttributes gamelift:DescribeFleetLocationCapacity gamelift:DescribeFleetLocationUtilization gamelift:DescribeFleetPortSettings gamelift:DescribeFleetUtilization gamelift:DescribeGameServer gamelift:DescribeGameServerGroup gamelift:DescribeGameServerInstances gamelift:DescribeGameSessionDetails gamelift:DescribeGameSessionPlacement gamelift:DescribeGameSessionQueues gamelift:DescribeGameSessions gamelift:DescribeInstances gamelift:DescribeMatchmaking gamelift:DescribeMatchmakingConfigurations gamelift:DescribeMatchmakingRuleSets gamelift:DescribePlayerSessions gamelift:DescribeRuntimeConfiguration gamelift:DescribeScalingPolicies gamelift:DescribeScript gamelift:DescribeVpcPeeringAuthorizations gamelift:DescribeVpcPeeringConnections gamelift:GetComputeAccess gamelift:GetComputeAuthToken gamelift:GetGameSessionLogUrl gamelift:GetInstanceAccess gamelift:ListAliases gamelift:ListBuilds gamelift:ListCompute gamelift:ListContainerFleets gamelift:ListContainerGroupDefinitionVersions gamelift:ListContainerGroupDefinitions gamelift:ListFleetDeployments gamelift:ListFleets gamelift:ListGameServerGroups gamelift:ListGameServers gamelift:ListLocations gamelift:ListScripts gamelift:PutScalingPolicy gamelift:RegisterCompute gamelift:RegisterGameServer gamelift:RequestUploadCredentials gamelift:ResolveAlias gamelift:ResumeGameServerGroup gamelift:SearchGameSessions gamelift:StartFleetActions gamelift:StartGameSessionPlacement gamelift:StartMatchBackfill gamelift:StartMatchmaking gamelift:StopFleetActions gamelift:StopGameSessionPlacement gamelift:StopMatchmaking gamelift:SuspendGameServerGroup gamelift:TerminateGameSession gamelift:UpdateAlias gamelift:UpdateBuild gamelift:UpdateContainerGroupDefinition gamelift:UpdateFleetAttributes gamelift:UpdateFleetCapacity gamelift:UpdateFleetPortSettings gamelift:UpdateGameServer gamelift:UpdateGameServerGroup gamelift:UpdateGameSession gamelift:UpdateGameSessionQueue gamelift:UpdateMatchmakingConfiguration gamelift:UpdateRuntimeConfiguration gamelift:UpdateScript gamelift:ValidateMatchmakingRuleSet |
| geo | geo:AssociateTrackerConsumer geo:BatchDeleteDevicePositionHistory geo:BatchDeleteGeofence geo:BatchEvaluateGeofences geo:BatchGetDevicePosition geo:BatchPutGeofence geo:BatchUpdateDevicePosition geo:CalculateRoute geo:CalculateRouteMatrix geo:CreateGeofenceCollection geo:CreateMap geo:CreatePlaceIndex geo:CreateRouteCalculator geo:CreateTracker geo:DeleteGeofenceCollection geo:DeleteKey geo:DeleteMap geo:DeletePlaceIndex geo:DeleteRouteCalculator geo:DeleteTracker geo:DescribeGeofenceCollection geo:DescribeKey geo:DescribeMap geo:DescribePlaceIndex geo:DescribeRouteCalculator geo:DescribeTracker geo:DisassociateTrackerConsumer geo:ForecastGeofenceEvents geo:GetDevicePosition geo:GetDevicePositionHistory geo:GetGeofence geo:GetMapGlyphs geo:GetMapSprites geo:GetMapStyleDescriptor geo:GetMapTile geo:GetPlace geo:ListDevicePositions geo:ListGeofenceCollections geo:ListGeofences geo:ListKeys geo:ListMaps geo:ListPlaceIndexes geo:ListRouteCalculators geo:ListTrackerConsumers geo:ListTrackers geo:PutGeofence geo:SearchPlaceIndexForPosition geo:SearchPlaceIndexForSuggestions geo:SearchPlaceIndexForText geo:UpdateGeofenceCollection geo:UpdateKey geo:UpdateMap geo:UpdatePlaceIndex geo:UpdateRouteCalculator geo:UpdateTracker geo:VerifyDevicePosition |
| glacier | glacier:AbortMultipartUpload glacier:AbortVaultLock glacier:CompleteMultipartUpload glacier:CompleteVaultLock glacier:CreateVault glacier:DeleteArchive glacier:DeleteVault glacier:DeleteVaultAccessPolicy glacier:DeleteVaultNotifications glacier:DescribeJob glacier:DescribeVault glacier:GetDataRetrievalPolicy glacier:GetJobOutput glacier:GetVaultAccessPolicy glacier:GetVaultLock glacier:GetVaultNotifications glacier:InitiateJob glacier:InitiateMultipartUpload glacier:InitiateVaultLock glacier:ListJobs glacier:ListMultipartUploads glacier:ListParts glacier:ListProvisionedCapacity glacier:ListVaults glacier:PurchaseProvisionedCapacity glacier:SetDataRetrievalPolicy glacier:SetVaultAccessPolicy glacier:SetVaultNotifications glacier:UploadArchive glacier:UploadMultipartPart |
| grafana | grafana:AssociateLicense grafana:CreateWorkspace grafana:CreateWorkspaceApiKey grafana:CreateWorkspaceServiceAccount grafana:CreateWorkspaceServiceAccountToken grafana:DeleteWorkspace grafana:DeleteWorkspaceApiKey grafana:DeleteWorkspaceServiceAccount grafana:DeleteWorkspaceServiceAccountToken grafana:DescribeWorkspace grafana:DescribeWorkspaceAuthentication grafana:DescribeWorkspaceConfiguration grafana:DisassociateLicense grafana:ListPermissions grafana:ListVersions grafana:ListWorkspaceServiceAccountTokens grafana:ListWorkspaceServiceAccounts grafana:ListWorkspaces grafana:UpdatePermissions grafana:UpdateWorkspace grafana:UpdateWorkspaceAuthentication grafana:UpdateWorkspaceConfiguration |
| greengrass | greengrass:AssociateRoleToGroup greengrass:AssociateServiceRoleToAccount greengrass:BatchAssociateClientDeviceWithCoreDevice greengrass:BatchDisassociateClientDeviceFromCoreDevice greengrass:CancelDeployment greengrass:CreateComponentVersion greengrass:CreateConnectorDefinition greengrass:CreateConnectorDefinitionVersion greengrass:CreateCoreDefinition greengrass:CreateCoreDefinitionVersion greengrass:CreateDeployment greengrass:CreateDeviceDefinition greengrass:CreateDeviceDefinitionVersion greengrass:CreateFunctionDefinition greengrass:CreateFunctionDefinitionVersion greengrass:CreateGroup greengrass:CreateGroupCertificateAuthority greengrass:CreateGroupVersion greengrass:CreateLoggerDefinition greengrass:CreateLoggerDefinitionVersion greengrass:CreateResourceDefinition greengrass:CreateResourceDefinitionVersion greengrass:CreateSoftwareUpdateJob greengrass:CreateSubscriptionDefinition greengrass:CreateSubscriptionDefinitionVersion greengrass:DeleteComponent greengrass:DeleteConnectorDefinition greengrass:DeleteCoreDefinition greengrass:DeleteCoreDevice greengrass:DeleteDeployment greengrass:DeleteDeviceDefinition greengrass:DeleteFunctionDefinition greengrass:DeleteGroup greengrass:DeleteLoggerDefinition greengrass:DeleteResourceDefinition greengrass:DeleteSubscriptionDefinition greengrass:DescribeComponent greengrass:DisassociateRoleFromGroup greengrass:DisassociateServiceRoleFromAccount greengrass:GetAssociatedRole greengrass:GetBulkDeploymentStatus greengrass:GetComponent greengrass:GetComponentVersionArtifact greengrass:GetConnectivityInfo greengrass:GetConnectorDefinition greengrass:GetConnectorDefinitionVersion greengrass:GetCoreDefinition greengrass:GetCoreDefinitionVersion greengrass:GetCoreDevice greengrass:GetDeployment greengrass:GetDeploymentStatus greengrass:GetDeviceDefinition greengrass:GetDeviceDefinitionVersion greengrass:GetFunctionDefinition greengrass:GetFunctionDefinitionVersion greengrass:GetGroup greengrass:GetGroupCertificateAuthority greengrass:GetGroupCertificateConfiguration greengrass:GetGroupVersion greengrass:GetLoggerDefinition greengrass:GetLoggerDefinitionVersion greengrass:GetResourceDefinition greengrass:GetResourceDefinitionVersion greengrass:GetServiceRoleForAccount greengrass:GetSubscriptionDefinition greengrass:GetSubscriptionDefinitionVersion greengrass:GetThingRuntimeConfiguration greengrass:ListBulkDeploymentDetailedReports greengrass:ListBulkDeployments greengrass:ListClientDevicesAssociatedWithCoreDevice greengrass:ListComponentVersions greengrass:ListComponents greengrass:ListConnectorDefinitionVersions greengrass:ListConnectorDefinitions greengrass:ListCoreDefinitionVersions greengrass:ListCoreDefinitions greengrass:ListCoreDevices greengrass:ListDeployments greengrass:ListDeviceDefinitionVersions greengrass:ListDeviceDefinitions greengrass:ListEffectiveDeployments greengrass:ListFunctionDefinitionVersions greengrass:ListFunctionDefinitions greengrass:ListGroupCertificateAuthorities greengrass:ListGroupVersions greengrass:ListGroups greengrass:ListInstalledComponents greengrass:ListLoggerDefinitionVersions greengrass:ListLoggerDefinitions greengrass:ListResourceDefinitionVersions greengrass:ListResourceDefinitions greengrass:ListSubscriptionDefinitionVersions greengrass:ListSubscriptionDefinitions greengrass:ResetDeployments greengrass:StartBulkDeployment greengrass:StopBulkDeployment greengrass:UpdateConnectivityInfo greengrass:UpdateConnectorDefinition greengrass:UpdateCoreDefinition greengrass:UpdateDeviceDefinition greengrass:UpdateFunctionDefinition greengrass:UpdateGroup greengrass:UpdateGroupCertificateConfiguration greengrass:UpdateLoggerDefinition greengrass:UpdateResourceDefinition greengrass:UpdateSubscriptionDefinition greengrass:UpdateThingRuntimeConfiguration |
| groundstation | groundstation:CancelContact groundstation:CreateConfig groundstation:CreateDataflowEndpointGroup groundstation:CreateDataflowEndpointGroupV2 groundstation:CreateEphemeris groundstation:CreateMissionProfile groundstation:DeleteConfig groundstation:DeleteDataflowEndpointGroup groundstation:DeleteEphemeris groundstation:DeleteMissionProfile groundstation:DescribeContact groundstation:DescribeEphemeris groundstation:GetConfig groundstation:GetDataflowEndpointGroup groundstation:GetMinuteUsage groundstation:GetMissionProfile groundstation:GetSatellite groundstation:ListConfigs groundstation:ListContacts groundstation:ListDataflowEndpointGroups groundstation:ListEphemerides groundstation:ListGroundStations groundstation:ListMissionProfiles groundstation:ListSatellites groundstation:RegisterAgent groundstation:ReserveContact groundstation:UpdateAgentStatus groundstation:UpdateConfig groundstation:UpdateEphemeris groundstation:UpdateMissionProfile |
| guardduty | guardduty:AcceptAdministratorInvitation guardduty:AcceptInvitation guardduty:ArchiveFindings guardduty:CreateDetector guardduty:CreateFilter guardduty:CreateIPSet guardduty:CreateMalwareProtectionPlan guardduty:CreateMembers guardduty:CreatePublishingDestination guardduty:CreateSampleFindings guardduty:CreateThreatEntitySet guardduty:CreateThreatIntelSet guardduty:CreateTrustedEntitySet guardduty:DeclineInvitations guardduty:DeleteDetector guardduty:DeleteFilter guardduty:DeleteIPSet guardduty:DeleteInvitations guardduty:DeleteMalwareProtectionPlan guardduty:DeleteMembers guardduty:DeletePublishingDestination guardduty:DeleteThreatEntitySet guardduty:DeleteThreatIntelSet guardduty:DeleteTrustedEntitySet guardduty:DescribeMalwareScans guardduty:DescribeOrganizationConfiguration guardduty:DescribePublishingDestination guardduty:DisableOrganizationAdminAccount guardduty:DisassociateFromAdministratorAccount guardduty:DisassociateFromMasterAccount guardduty:DisassociateMembers guardduty:EnableOrganizationAdminAccount guardduty:GetAdministratorAccount guardduty:GetCoverageStatistics guardduty:GetDetector guardduty:GetFilter guardduty:GetFindings guardduty:GetFindingsStatistics guardduty:GetIPSet guardduty:GetInvitationsCount guardduty:GetMalwareProtectionPlan guardduty:GetMalwareScan guardduty:GetMalwareScanSettings guardduty:GetMasterAccount guardduty:GetMemberDetectors guardduty:GetMembers guardduty:GetOrganizationStatistics guardduty:GetRemainingFreeTrialDays guardduty:GetThreatEntitySet guardduty:GetThreatIntelSet guardduty:GetTrustedEntitySet guardduty:GetUsageStatistics guardduty:InviteMembers guardduty:ListCoverage guardduty:ListDetectors guardduty:ListFilters guardduty:ListFindings guardduty:ListIPSets guardduty:ListInvitations guardduty:ListMalwareProtectionPlans guardduty:ListMalwareScans guardduty:ListMembers guardduty:ListOrganizationAdminAccounts guardduty:ListPublishingDestinations guardduty:ListThreatEntitySets guardduty:ListThreatIntelSets guardduty:ListTrustedEntitySets guardduty:StartMalwareScan guardduty:StartMonitoringMembers guardduty:StopMonitoringMembers guardduty:UnarchiveFindings guardduty:UpdateDetector guardduty:UpdateFilter guardduty:UpdateFindingsFeedback guardduty:UpdateIPSet guardduty:UpdateMalwareProtectionPlan guardduty:UpdateMalwareScanSettings guardduty:UpdateMemberDetectors guardduty:UpdateOrganizationConfiguration guardduty:UpdatePublishingDestination guardduty:UpdateThreatEntitySet guardduty:UpdateThreatIntelSet guardduty:UpdateTrustedEntitySet |
| healthlake | healthlake:CancelFHIRExportJobWithDelete healthlake:CreateFHIRDatastore healthlake:CreateResource healthlake:DeleteFHIRDatastore healthlake:DeleteResource healthlake:DescribeFHIRDatastore healthlake:DescribeFHIRExportJob healthlake:DescribeFHIRExportJobWithGet healthlake:DescribeFHIRImportJob healthlake:GetCapabilities healthlake:ListFHIRDatastores healthlake:ListFHIRExportJobs healthlake:ListFHIRImportJobs healthlake:ReadResource healthlake:SearchEverything healthlake:SearchWithGet healthlake:SearchWithPost healthlake:StartFHIRExportJob healthlake:StartFHIRExportJobWithPost healthlake:StartFHIRImportJob healthlake:UpdateResource |
| honeycode | honeycode:BatchCreateTableRows honeycode:BatchDeleteTableRows honeycode:BatchUpdateTableRows honeycode:BatchUpsertTableRows honeycode:DescribeTableDataImportJob honeycode:GetScreenData honeycode:InvokeScreenAutomation honeycode:ListTableColumns honeycode:ListTableRows honeycode:ListTables honeycode:QueryTableRows honeycode:StartTableDataImportJob |
| iam | iam:AddClientIDToOpenIDConnectProvider iam:AddRoleToInstanceProfile iam:AddUserToGroup iam:AttachGroupPolicy iam:AttachRolePolicy iam:AttachUserPolicy iam:ChangePassword iam:CreateAccessKey iam:CreateAccountAlias iam:CreateGroup iam:CreateInstanceProfile iam:CreateLoginProfile iam:CreateOpenIDConnectProvider iam:CreatePolicy iam:CreatePolicyVersion iam:CreateRole iam:CreateSAMLProvider iam:CreateServiceLinkedRole iam:CreateServiceSpecificCredential iam:CreateUser iam:CreateVirtualMFADevice iam:DeactivateMFADevice iam:DeleteAccessKey iam:DeleteAccountAlias iam:DeleteAccountPasswordPolicy iam:DeleteCloudFrontPublicKey iam:DeleteGroup iam:DeleteGroupPolicy iam:DeleteInstanceProfile iam:DeleteLoginProfile iam:DeleteOpenIDConnectProvider iam:DeletePolicy iam:DeletePolicyVersion iam:DeleteRole iam:DeleteRolePermissionsBoundary iam:DeleteRolePolicy iam:DeleteSAMLProvider iam:DeleteSSHPublicKey iam:DeleteServerCertificate iam:DeleteServiceLinkedRole iam:DeleteServiceSpecificCredential iam:DeleteSigningCertificate iam:DeleteUser iam:DeleteUserPermissionsBoundary iam:DeleteUserPolicy iam:DeleteVirtualMFADevice iam:DetachGroupPolicy iam:DetachRolePolicy iam:DetachUserPolicy iam:DisableOrganizationsRootCredentialsManagement iam:DisableOrganizationsRootSessions iam:DisableOutboundWebIdentityFederation iam:EnableMFADevice iam:EnableOrganizationsRootCredentialsManagement iam:EnableOrganizationsRootSessions iam:EnableOutboundWebIdentityFederation iam:GenerateCredentialReport iam:GenerateOrganizationsAccessReport iam:GenerateServiceLastAccessedDetails iam:GetAccessKeyLastUsed iam:GetAccountAuthorizationDetails iam:GetAccountEmailAddress iam:GetAccountName iam:GetAccountPasswordPolicy iam:GetAccountSummary iam:GetCloudFrontPublicKey iam:GetContextKeysForCustomPolicy iam:GetContextKeysForPrincipalPolicy iam:GetCredentialReport iam:GetGroup iam:GetGroupPolicy iam:GetInstanceProfile iam:GetLoginProfile iam:GetMFADevice iam:GetOpenIDConnectProvider iam:GetOrganizationsAccessReport iam:GetOutboundWebIdentityFederationInfo iam:GetPolicy iam:GetPolicyVersion iam:GetRole iam:GetRolePolicy iam:GetSAMLProvider iam:GetSSHPublicKey iam:GetServerCertificate iam:GetServiceLastAccessedDetails iam:GetServiceLastAccessedDetailsWithEntities iam:GetServiceLinkedRoleDeletionStatus iam:GetUser iam:GetUserPolicy iam:ListAccessKeys iam:ListAccountAliases iam:ListAttachedGroupPolicies iam:ListAttachedRolePolicies iam:ListAttachedUserPolicies iam:ListCloudFrontPublicKeys iam:ListDelegationRequests iam:ListEntitiesForPolicy iam:ListGroupPolicies iam:ListGroups iam:ListGroupsForUser iam:ListInstanceProfiles iam:ListInstanceProfilesForRole iam:ListMFADevices iam:ListOpenIDConnectProviders iam:ListOrganizationsFeatures iam:ListPolicies iam:ListPoliciesGrantingServiceAccess iam:ListPolicyVersions iam:ListRolePolicies iam:ListRoles iam:ListSAMLProviders iam:ListSSHPublicKeys iam:ListSTSRegionalEndpointsStatus iam:ListServerCertificates iam:ListServiceSpecificCredentials iam:ListSigningCertificates iam:ListUserPolicies iam:ListUsers iam:ListVirtualMFADevices iam:PutGroupPolicy iam:PutRolePermissionsBoundary iam:PutRolePolicy iam:PutUserPermissionsBoundary iam:PutUserPolicy iam:RemoveClientIDFromOpenIDConnectProvider iam:RemoveRoleFromInstanceProfile iam:RemoveUserFromGroup iam:ResetServiceSpecificCredential iam:ResyncMFADevice iam:SetDefaultPolicyVersion iam:SetSTSRegionalEndpointStatus iam:SetSecurityTokenServicePreferences iam:SimulateCustomPolicy iam:SimulatePrincipalPolicy iam:UpdateAccessKey iam:UpdateAccountEmailAddress iam:UpdateAccountName iam:UpdateAccountPasswordPolicy iam:UpdateAssumeRolePolicy iam:UpdateCloudFrontPublicKey iam:UpdateGroup iam:UpdateLoginProfile iam:UpdateOpenIDConnectProviderThumbprint iam:UpdateRole iam:UpdateRoleDescription iam:UpdateSAMLProvider iam:UpdateSSHPublicKey iam:UpdateServerCertificate iam:UpdateServiceSpecificCredential iam:UpdateSigningCertificate iam:UpdateUser iam:UploadCloudFrontPublicKey iam:UploadSSHPublicKey iam:UploadServerCertificate iam:UploadSigningCertificate |
| identitystore | identitystore:CreateGroup identitystore:CreateGroupMembership identitystore:CreateUser identitystore:DeleteGroup identitystore:DeleteGroupMembership identitystore:DeleteUser identitystore:DescribeGroup identitystore:DescribeGroupMembership identitystore:DescribeUser identitystore:GetGroupId identitystore:GetGroupMembershipId identitystore:GetUserId identitystore:IsMemberInGroups identitystore:ListGroupMemberships identitystore:ListGroupMembershipsForMember identitystore:ListGroups identitystore:ListUsers identitystore:UpdateGroup identitystore:UpdateUser |
| imagebuilder | imagebuilder:CancelImageCreation imagebuilder:CancelLifecycleExecution imagebuilder:CreateComponent imagebuilder:CreateContainerRecipe imagebuilder:CreateDistributionConfiguration imagebuilder:CreateImage imagebuilder:CreateImagePipeline imagebuilder:CreateImageRecipe imagebuilder:CreateInfrastructureConfiguration imagebuilder:CreateLifecyclePolicy imagebuilder:CreateWorkflow imagebuilder:DeleteComponent imagebuilder:DeleteContainerRecipe imagebuilder:DeleteDistributionConfiguration imagebuilder:DeleteImage imagebuilder:DeleteImagePipeline imagebuilder:DeleteImageRecipe imagebuilder:DeleteInfrastructureConfiguration imagebuilder:DeleteLifecyclePolicy imagebuilder:DeleteWorkflow imagebuilder:DistributeImage imagebuilder:GetComponentPolicy imagebuilder:GetContainerRecipePolicy imagebuilder:GetImagePolicy imagebuilder:GetImageRecipePolicy imagebuilder:GetLifecycleExecution imagebuilder:GetLifecyclePolicy imagebuilder:GetMarketplaceResource imagebuilder:GetWorkflowExecution imagebuilder:GetWorkflowStepExecution imagebuilder:ImportComponent imagebuilder:ImportDiskImage imagebuilder:ImportVmImage imagebuilder:ListComponentBuildVersions imagebuilder:ListComponents imagebuilder:ListContainerRecipes imagebuilder:ListDistributionConfigurations imagebuilder:ListImageBuildVersions imagebuilder:ListImagePackages imagebuilder:ListImagePipelineImages imagebuilder:ListImagePipelines imagebuilder:ListImageRecipes imagebuilder:ListImageScanFindingAggregations imagebuilder:ListImageScanFindings imagebuilder:ListImages imagebuilder:ListInfrastructureConfigurations imagebuilder:ListLifecycleExecutionResources imagebuilder:ListLifecycleExecutions imagebuilder:ListLifecyclePolicies imagebuilder:ListWaitingWorkflowSteps imagebuilder:ListWorkflowExecutions imagebuilder:ListWorkflowStepExecutions imagebuilder:ListWorkflows imagebuilder:PutComponentPolicy imagebuilder:PutContainerRecipePolicy imagebuilder:PutImagePolicy imagebuilder:PutImageRecipePolicy imagebuilder:RetryImage imagebuilder:SendWorkflowStepAction imagebuilder:StartImagePipelineExecution imagebuilder:StartResourceStateUpdate imagebuilder:UpdateDistributionConfiguration imagebuilder:UpdateImagePipeline imagebuilder:UpdateInfrastructureConfiguration |
| inspector | inspector:AddAttributesToFindings inspector:CreateAssessmentTarget inspector:CreateAssessmentTemplate inspector:CreateExclusionsPreview inspector:CreateResourceGroup inspector:DeleteAssessmentRun inspector:DeleteAssessmentTarget inspector:DeleteAssessmentTemplate inspector:DescribeAssessmentRuns inspector:DescribeAssessmentTargets inspector:DescribeAssessmentTemplates inspector:DescribeCrossAccountAccessRole inspector:DescribeExclusions inspector:DescribeFindings inspector:DescribeResourceGroups inspector:DescribeRulesPackages inspector:GetAssessmentReport inspector:GetExclusionsPreview inspector:GetTelemetryMetadata inspector:ListAssessmentRunAgents inspector:ListAssessmentRuns inspector:ListAssessmentTargets inspector:ListAssessmentTemplates inspector:ListEventSubscriptions inspector:ListExclusions inspector:ListFindings inspector:ListRulesPackages inspector:PreviewAgents inspector:RegisterCrossAccountAccessRole inspector:RemoveAttributesFromFindings inspector:StartAssessmentRun inspector:StopAssessmentRun inspector:SubscribeToEvent inspector:UnsubscribeFromEvent inspector:UpdateAssessmentTarget |
| inspector2 | inspector2:AssociateMember inspector2:BatchGetAccountStatus inspector2:BatchGetCodeSnippet inspector2:BatchGetFindingDetails inspector2:BatchGetFreeTrialInfo inspector2:BatchGetMemberEc2DeepInspectionStatus inspector2:BatchUpdateMemberEc2DeepInspectionStatus inspector2:CancelFindingsReport inspector2:CancelSbomExport inspector2:CreateCisScanConfiguration inspector2:CreateCodeSecurityIntegration inspector2:CreateFilter inspector2:CreateFindingsReport inspector2:CreateSbomExport inspector2:DeleteCisScanConfiguration inspector2:DeleteCodeSecurityIntegration inspector2:DeleteFilter inspector2:DescribeOrganizationConfiguration inspector2:Disable inspector2:DisableDelegatedAdminAccount inspector2:DisassociateMember inspector2:Enable inspector2:EnableDelegatedAdminAccount inspector2:GetCisScanReport inspector2:GetCisScanResultDetails inspector2:GetClustersForImage inspector2:GetCodeSecurityIntegration inspector2:GetCodeSecurityScan inspector2:GetConfiguration inspector2:GetDelegatedAdminAccount inspector2:GetEc2DeepInspectionConfiguration inspector2:GetEncryptionKey inspector2:GetFindingsReportStatus inspector2:GetMember inspector2:GetSbomExport inspector2:ListAccountPermissions inspector2:ListCisScanConfigurations inspector2:ListCisScanResultsAggregatedByChecks inspector2:ListCisScanResultsAggregatedByTargetResource inspector2:ListCisScans inspector2:ListCodeSecurityIntegrations inspector2:ListCodeSecurityScanConfigurations inspector2:ListCoverage inspector2:ListCoverageStatistics inspector2:ListDelegatedAdminAccounts inspector2:ListFilters inspector2:ListFindingAggregations inspector2:ListFindings inspector2:ListMembers inspector2:ListUsageTotals inspector2:ResetEncryptionKey inspector2:SearchVulnerabilities inspector2:SendCisSessionHealth inspector2:SendCisSessionTelemetry inspector2:StartCisSession inspector2:StartCodeSecurityScan inspector2:StopCisSession inspector2:UpdateCisScanConfiguration inspector2:UpdateCodeSecurityIntegration inspector2:UpdateConfiguration inspector2:UpdateEc2DeepInspectionConfiguration inspector2:UpdateEncryptionKey inspector2:UpdateFilter inspector2:UpdateOrgEc2DeepInspectionConfiguration inspector2:UpdateOrganizationConfiguration |
| iot | iot:AcceptCertificateTransfer iot:AddThingToBillingGroup iot:AddThingToThingGroup iot:AssociateSbomWithPackageVersion iot:AssociateTargetsWithJob iot:AttachPolicy iot:AttachPrincipalPolicy iot:AttachSecurityProfile iot:AttachThingPrincipal iot:CancelAuditMitigationActionsTask iot:CancelAuditTask iot:CancelCertificateTransfer iot:CancelDetectMitigationActionsTask iot:CancelJob iot:CancelJobExecution iot:ClearDefaultAuthorizer iot:ConfirmTopicRuleDestination iot:CreateAuditSuppression iot:CreateAuthorizer iot:CreateBillingGroup iot:CreateCertificateFromCsr iot:CreateCertificateProvider iot:CreateCommand iot:CreateCustomMetric iot:CreateDimension iot:CreateDomainConfiguration iot:CreateDynamicThingGroup iot:CreateFleetMetric iot:CreateJob iot:CreateJobTemplate iot:CreateKeysAndCertificate iot:CreateMitigationAction iot:CreateOTAUpdate iot:CreatePackage iot:CreatePackageVersion iot:CreatePolicy iot:CreatePolicyVersion iot:CreateProvisioningClaim iot:CreateProvisioningTemplate iot:CreateProvisioningTemplateVersion iot:CreateRoleAlias iot:CreateScheduledAudit iot:CreateSecurityProfile iot:CreateStream iot:CreateThing iot:CreateThingGroup iot:CreateThingType iot:CreateTopicRule iot:CreateTopicRuleDestination iot:DeleteAccountAuditConfiguration iot:DeleteAuditSuppression iot:DeleteAuthorizer iot:DeleteBillingGroup iot:DeleteCACertificate iot:DeleteCertificate iot:DeleteCertificateProvider iot:DeleteCommand iot:DeleteCustomMetric iot:DeleteDimension iot:DeleteDomainConfiguration iot:DeleteDynamicThingGroup iot:DeleteFleetMetric iot:DeleteJob iot:DeleteJobExecution iot:DeleteJobTemplate iot:DeleteMitigationAction iot:DeleteOTAUpdate iot:DeletePackage iot:DeletePackageVersion iot:DeletePolicy iot:DeletePolicyVersion iot:DeleteProvisioningTemplate iot:DeleteProvisioningTemplateVersion iot:DeleteRegistrationCode iot:DeleteRoleAlias iot:DeleteScheduledAudit iot:DeleteSecurityProfile iot:DeleteStream iot:DeleteThing iot:DeleteThingGroup iot:DeleteThingType iot:DeleteTopicRule iot:DeleteTopicRuleDestination iot:DeleteV2LoggingLevel iot:DeprecateThingType iot:DescribeAccountAuditConfiguration iot:DescribeAuditFinding iot:DescribeAuditMitigationActionsTask iot:DescribeAuditSuppression iot:DescribeAuditTask iot:DescribeAuthorizer iot:DescribeBillingGroup iot:DescribeCACertificate iot:DescribeCertificate iot:DescribeCertificateProvider iot:DescribeCustomMetric iot:DescribeDefaultAuthorizer iot:DescribeDetectMitigationActionsTask iot:DescribeDimension iot:DescribeDomainConfiguration iot:DescribeEncryptionConfiguration iot:DescribeEndpoint iot:DescribeEventConfigurations iot:DescribeFleetMetric iot:DescribeIndex iot:DescribeJob iot:DescribeJobExecution iot:DescribeJobTemplate iot:DescribeManagedJobTemplate iot:DescribeMitigationAction iot:DescribeProvisioningTemplate iot:DescribeProvisioningTemplateVersion iot:DescribeRoleAlias iot:DescribeScheduledAudit iot:DescribeSecurityProfile iot:DescribeStream iot:DescribeThing iot:DescribeThingGroup iot:DescribeThingRegistrationTask iot:DescribeThingType iot:DetachPolicy iot:DetachPrincipalPolicy iot:DetachSecurityProfile iot:DetachThingPrincipal iot:DisableTopicRule iot:DisassociateSbomFromPackageVersion iot:EnableTopicRule iot:GetBehaviorModelTrainingSummaries iot:GetBucketsAggregation iot:GetCardinality iot:GetCommand iot:GetEffectivePolicies iot:GetJobDocument iot:GetLoggingOptions iot:GetOTAUpdate iot:GetPackage iot:GetPackageConfiguration iot:GetPackageVersion iot:GetPercentiles iot:GetPolicy iot:GetPolicyVersion iot:GetRegistrationCode iot:GetStatistics iot:GetThingConnectivityData iot:GetTopicRule iot:GetTopicRuleDestination iot:GetV2LoggingOptions iot:ListActiveViolations iot:ListAttachedPolicies iot:ListAuditFindings iot:ListAuditMitigationActionsExecutions iot:ListAuditMitigationActionsTasks iot:ListAuditSuppressions iot:ListAuditTasks iot:ListAuthorizers iot:ListBillingGroups iot:ListCACertificates iot:ListCertificateProviders iot:ListCertificates iot:ListCertificatesByCA iot:ListCommands iot:ListCustomMetrics iot:ListDetectMitigationActionsExecutions iot:ListDetectMitigationActionsTasks iot:ListDimensions iot:ListDomainConfigurations iot:ListFleetMetrics iot:ListIndices iot:ListJobExecutionsForJob iot:ListJobExecutionsForThing iot:ListJobTemplates iot:ListJobs iot:ListManagedJobTemplates iot:ListMetricValues iot:ListMitigationActions iot:ListOTAUpdates iot:ListOutgoingCertificates iot:ListPackageVersions iot:ListPackages iot:ListPolicies iot:ListPolicyPrincipals iot:ListPolicyVersions iot:ListPrincipalPolicies iot:ListPrincipalThings iot:ListPrincipalThingsV2 iot:ListProvisioningTemplateVersions iot:ListProvisioningTemplates iot:ListRelatedResourcesForAuditFinding iot:ListRoleAliases iot:ListSbomValidationResults iot:ListScheduledAudits iot:ListSecurityProfiles iot:ListSecurityProfilesForTarget iot:ListStreams iot:ListTargetsForPolicy iot:ListTargetsForSecurityProfile iot:ListThingGroups iot:ListThingGroupsForThing iot:ListThingPrincipals iot:ListThingPrincipalsV2 iot:ListThingRegistrationTaskReports iot:ListThingRegistrationTasks iot:ListThingTypes iot:ListThings iot:ListThingsInBillingGroup iot:ListThingsInThingGroup iot:ListTopicRuleDestinations iot:ListTopicRules iot:ListV2LoggingLevels iot:ListViolationEvents iot:PutVerificationStateOnViolation iot:RegisterCACertificate iot:RegisterCertificate iot:RegisterCertificateWithoutCA iot:RegisterThing iot:RejectCertificateTransfer iot:RemoveThingFromBillingGroup iot:RemoveThingFromThingGroup iot:ReplaceTopicRule iot:SearchIndex iot:SetDefaultAuthorizer iot:SetDefaultPolicyVersion iot:SetLoggingOptions iot:SetV2LoggingLevel iot:SetV2LoggingOptions iot:StartAuditMitigationActionsTask iot:StartDetectMitigationActionsTask iot:StartOnDemandAuditTask iot:StartThingRegistrationTask iot:StopThingRegistrationTask iot:TestAuthorization iot:TestInvokeAuthorizer iot:TransferCertificate iot:UpdateAccountAuditConfiguration iot:UpdateAuditSuppression iot:UpdateAuthorizer iot:UpdateBillingGroup iot:UpdateCACertificate iot:UpdateCertificate iot:UpdateCertificateProvider iot:UpdateCommand iot:UpdateCustomMetric iot:UpdateDimension iot:UpdateDomainConfiguration iot:UpdateDynamicThingGroup iot:UpdateEncryptionConfiguration iot:UpdateEventConfigurations iot:UpdateFleetMetric iot:UpdateIndexingConfiguration iot:UpdateJob iot:UpdateMitigationAction iot:UpdatePackage iot:UpdatePackageConfiguration iot:UpdatePackageVersion iot:UpdateProvisioningTemplate iot:UpdateRoleAlias iot:UpdateScheduledAudit iot:UpdateSecurityProfile iot:UpdateStream iot:UpdateThing iot:UpdateThingGroup iot:UpdateThingGroupsForThing iot:UpdateThingType iot:UpdateTopicRuleDestination iot:ValidateSecurityProfileBehaviors |
| iotanalytics | iotanalytics:CancelPipelineReprocessing iotanalytics:CreateChannel iotanalytics:CreateDataset iotanalytics:CreateDatasetContent iotanalytics:CreateDatastore iotanalytics:CreatePipeline iotanalytics:DeleteChannel iotanalytics:DeleteDataset iotanalytics:DeleteDatasetContent iotanalytics:DeleteDatastore iotanalytics:DeletePipeline iotanalytics:DescribeChannel iotanalytics:DescribeDataset iotanalytics:DescribeDatastore iotanalytics:DescribeLoggingOptions iotanalytics:DescribePipeline iotanalytics:GetDatasetContent iotanalytics:ListChannels iotanalytics:ListDatasetContents iotanalytics:ListDatasets iotanalytics:ListDatastores iotanalytics:ListPipelines iotanalytics:PutLoggingOptions iotanalytics:RunPipelineActivity iotanalytics:SampleChannelData iotanalytics:StartPipelineReprocessing iotanalytics:UpdateChannel iotanalytics:UpdateDataset iotanalytics:UpdateDatastore iotanalytics:UpdatePipeline |
| iotdeviceadvisor | iotdeviceadvisor:CreateSuiteDefinition iotdeviceadvisor:DeleteSuiteDefinition iotdeviceadvisor:GetEndpoint iotdeviceadvisor:GetSuiteDefinition iotdeviceadvisor:GetSuiteRun iotdeviceadvisor:GetSuiteRunReport iotdeviceadvisor:ListSuiteDefinitions iotdeviceadvisor:ListSuiteRuns iotdeviceadvisor:StartSuiteRun iotdeviceadvisor:StopSuiteRun iotdeviceadvisor:UpdateSuiteDefinition |
| iotevents | iotevents:BatchAcknowledgeAlarm iotevents:BatchDeleteDetector iotevents:BatchDisableAlarm iotevents:BatchEnableAlarm iotevents:BatchResetAlarm iotevents:BatchSnoozeAlarm iotevents:BatchUpdateDetector iotevents:CreateAlarmModel iotevents:CreateDetectorModel iotevents:CreateInput iotevents:DeleteAlarmModel iotevents:DeleteDetectorModel iotevents:DeleteInput iotevents:DescribeAlarm iotevents:DescribeAlarmModel iotevents:DescribeDetector iotevents:DescribeDetectorModel iotevents:DescribeDetectorModelAnalysis iotevents:DescribeInput iotevents:DescribeLoggingOptions iotevents:GetDetectorModelAnalysisResults iotevents:ListAlarmModelVersions iotevents:ListAlarmModels iotevents:ListAlarms iotevents:ListDetectorModelVersions iotevents:ListDetectorModels iotevents:ListDetectors iotevents:ListInputRoutings iotevents:ListInputs iotevents:PutLoggingOptions iotevents:StartDetectorModelAnalysis iotevents:UpdateAlarmModel iotevents:UpdateDetectorModel iotevents:UpdateInput |
| iotfleethub | iotfleethub:CreateApplication iotfleethub:DeleteApplication iotfleethub:DescribeApplication iotfleethub:ListApplications iotfleethub:UpdateApplication |
| iotsitewise | iotsitewise:AssociateAssets iotsitewise:AssociateTimeSeriesToAssetProperty iotsitewise:BatchAssociateProjectAssets iotsitewise:BatchDisassociateProjectAssets iotsitewise:CreateAccessPolicy iotsitewise:CreateAsset iotsitewise:CreateAssetModel iotsitewise:CreateAssetModelCompositeModel iotsitewise:CreateBulkImportJob iotsitewise:CreateComputationModel iotsitewise:CreateDashboard iotsitewise:CreateDataset iotsitewise:CreateGateway iotsitewise:CreatePortal iotsitewise:CreateProject iotsitewise:DeleteAccessPolicy iotsitewise:DeleteAsset iotsitewise:DeleteAssetModel iotsitewise:DeleteAssetModelCompositeModel iotsitewise:DeleteComputationModel iotsitewise:DeleteDashboard iotsitewise:DeleteDataset iotsitewise:DeleteGateway iotsitewise:DeletePortal iotsitewise:DeleteProject iotsitewise:DeleteTimeSeries iotsitewise:DescribeAccessPolicy iotsitewise:DescribeAsset iotsitewise:DescribeAssetCompositeModel iotsitewise:DescribeAssetModel iotsitewise:DescribeAssetModelCompositeModel iotsitewise:DescribeAssetModelInterfaceRelationship iotsitewise:DescribeAssetProperty iotsitewise:DescribeBulkImportJob iotsitewise:DescribeComputationModel iotsitewise:DescribeComputationModelExecutionSummary iotsitewise:DescribeDashboard iotsitewise:DescribeDataset iotsitewise:DescribeDefaultEncryptionConfiguration iotsitewise:DescribeExecution iotsitewise:DescribeGateway iotsitewise:DescribeGatewayCapabilityConfiguration iotsitewise:DescribeLoggingOptions iotsitewise:DescribePortal iotsitewise:DescribeProject iotsitewise:DescribeStorageConfiguration iotsitewise:DescribeTimeSeries iotsitewise:DisassociateAssets iotsitewise:DisassociateTimeSeriesFromAssetProperty iotsitewise:ExecuteAction iotsitewise:ExecuteQuery iotsitewise:ListAccessPolicies iotsitewise:ListActions iotsitewise:ListAssetModelCompositeModels iotsitewise:ListAssetModelProperties iotsitewise:ListAssetModels iotsitewise:ListAssetProperties iotsitewise:ListAssetRelationships iotsitewise:ListAssets iotsitewise:ListAssociatedAssets iotsitewise:ListBulkImportJobs iotsitewise:ListCompositionRelationships iotsitewise:ListComputationModelDataBindingUsages iotsitewise:ListComputationModelResolveToResources iotsitewise:ListComputationModels iotsitewise:ListDashboards iotsitewise:ListDatasets iotsitewise:ListExecutions iotsitewise:ListGateways iotsitewise:ListInterfaceRelationships iotsitewise:ListPortals iotsitewise:ListProjectAssets iotsitewise:ListProjects iotsitewise:ListTimeSeries iotsitewise:PutDefaultEncryptionConfiguration iotsitewise:PutLoggingOptions iotsitewise:PutStorageConfiguration iotsitewise:UpdateAccessPolicy iotsitewise:UpdateAsset iotsitewise:UpdateAssetModel iotsitewise:UpdateAssetModelCompositeModel iotsitewise:UpdateAssetProperty iotsitewise:UpdateComputationModel iotsitewise:UpdateDashboard iotsitewise:UpdateDataset iotsitewise:UpdateGateway iotsitewise:UpdateGatewayCapabilityConfiguration iotsitewise:UpdatePortal iotsitewise:UpdateProject |
| iottwinmaker | iottwinmaker:CancelMetadataTransferJob iottwinmaker:CreateComponentType iottwinmaker:CreateEntity iottwinmaker:CreateMetadataTransferJob iottwinmaker:CreateScene iottwinmaker:CreateSyncJob iottwinmaker:CreateWorkspace iottwinmaker:DeleteComponentType iottwinmaker:DeleteEntity iottwinmaker:DeleteScene iottwinmaker:DeleteSyncJob iottwinmaker:DeleteWorkspace iottwinmaker:ExecuteQuery iottwinmaker:GetMetadataTransferJob iottwinmaker:GetPricingPlan iottwinmaker:GetScene iottwinmaker:GetSyncJob iottwinmaker:ListComponentTypes iottwinmaker:ListComponents iottwinmaker:ListEntities iottwinmaker:ListMetadataTransferJobs iottwinmaker:ListProperties iottwinmaker:ListScenes iottwinmaker:ListSyncJobs iottwinmaker:ListSyncResources iottwinmaker:ListWorkspaces iottwinmaker:UpdateComponentType iottwinmaker:UpdateEntity iottwinmaker:UpdatePricingPlan iottwinmaker:UpdateScene iottwinmaker:UpdateWorkspace |
| iotwireless | iotwireless:AssociateAwsAccountWithPartnerAccount iotwireless:AssociateMulticastGroupWithFuotaTask iotwireless:AssociateWirelessDeviceWithFuotaTask iotwireless:AssociateWirelessDeviceWithMulticastGroup iotwireless:AssociateWirelessDeviceWithThing iotwireless:AssociateWirelessGatewayWithCertificate iotwireless:AssociateWirelessGatewayWithThing iotwireless:CancelMulticastGroupSession iotwireless:CreateDestination iotwireless:CreateDeviceProfile iotwireless:CreateFuotaTask iotwireless:CreateMulticastGroup iotwireless:CreateNetworkAnalyzerConfiguration iotwireless:CreateServiceProfile iotwireless:CreateWirelessDevice iotwireless:CreateWirelessGateway iotwireless:CreateWirelessGatewayTask iotwireless:CreateWirelessGatewayTaskDefinition iotwireless:DeleteDestination iotwireless:DeleteDeviceProfile iotwireless:DeleteFuotaTask iotwireless:DeleteMulticastGroup iotwireless:DeleteNetworkAnalyzerConfiguration iotwireless:DeleteQueuedMessages iotwireless:DeleteServiceProfile iotwireless:DeleteWirelessDevice iotwireless:DeleteWirelessDeviceImportTask iotwireless:DeleteWirelessGateway iotwireless:DeleteWirelessGatewayTask iotwireless:DeleteWirelessGatewayTaskDefinition iotwireless:DeregisterWirelessDevice iotwireless:DisassociateAwsAccountFromPartnerAccount iotwireless:DisassociateMulticastGroupFromFuotaTask iotwireless:DisassociateWirelessDeviceFromFuotaTask iotwireless:DisassociateWirelessDeviceFromMulticastGroup iotwireless:DisassociateWirelessDeviceFromThing iotwireless:DisassociateWirelessGatewayFromCertificate iotwireless:DisassociateWirelessGatewayFromThing iotwireless:GetDestination iotwireless:GetDeviceProfile iotwireless:GetEventConfigurationByResourceTypes iotwireless:GetFuotaTask iotwireless:GetLogLevelsByResourceTypes iotwireless:GetMetricConfiguration iotwireless:GetMetrics iotwireless:GetMulticastGroup iotwireless:GetMulticastGroupSession iotwireless:GetNetworkAnalyzerConfiguration iotwireless:GetPartnerAccount iotwireless:GetPosition iotwireless:GetPositionConfiguration iotwireless:GetPositionEstimate iotwireless:GetResourceEventConfiguration iotwireless:GetResourceLogLevel iotwireless:GetResourcePosition iotwireless:GetServiceEndpoint iotwireless:GetServiceProfile iotwireless:GetWirelessDevice iotwireless:GetWirelessDeviceImportTask iotwireless:GetWirelessDeviceStatistics iotwireless:GetWirelessGateway iotwireless:GetWirelessGatewayCertificate iotwireless:GetWirelessGatewayFirmwareInformation iotwireless:GetWirelessGatewayStatistics iotwireless:GetWirelessGatewayTask iotwireless:GetWirelessGatewayTaskDefinition iotwireless:ListDestinations iotwireless:ListDeviceProfiles iotwireless:ListDevicesForWirelessDeviceImportTask iotwireless:ListEventConfigurations iotwireless:ListFuotaTasks iotwireless:ListMulticastGroups iotwireless:ListMulticastGroupsByFuotaTask iotwireless:ListNetworkAnalyzerConfigurations iotwireless:ListPartnerAccounts iotwireless:ListPositionConfigurations iotwireless:ListQueuedMessages iotwireless:ListServiceProfiles iotwireless:ListWirelessDeviceImportTasks iotwireless:ListWirelessDevices iotwireless:ListWirelessGatewayTaskDefinitions iotwireless:ListWirelessGateways iotwireless:PutPositionConfiguration iotwireless:PutResourceLogLevel iotwireless:ResetAllResourceLogLevels iotwireless:ResetResourceLogLevel iotwireless:SendDataToMulticastGroup iotwireless:SendDataToWirelessDevice iotwireless:StartBulkAssociateWirelessDeviceWithMulticastGroup iotwireless:StartBulkDisassociateWirelessDeviceFromMulticastGroup iotwireless:StartFuotaTask iotwireless:StartMulticastGroupSession iotwireless:StartNetworkAnalyzerStream iotwireless:StartSingleWirelessDeviceImportTask iotwireless:StartWirelessDeviceImportTask iotwireless:TestWirelessDevice iotwireless:UpdateDestination iotwireless:UpdateEventConfigurationByResourceTypes iotwireless:UpdateFuotaTask iotwireless:UpdateLogLevelsByResourceTypes iotwireless:UpdateMetricConfiguration iotwireless:UpdateMulticastGroup iotwireless:UpdateNetworkAnalyzerConfiguration iotwireless:UpdatePartnerAccount iotwireless:UpdatePosition iotwireless:UpdateResourceEventConfiguration iotwireless:UpdateResourcePosition iotwireless:UpdateWirelessDevice iotwireless:UpdateWirelessDeviceImportTask iotwireless:UpdateWirelessGateway |
| ivs | ivs:BatchGetChannel ivs:BatchGetStreamKey ivs:BatchStartViewerSessionRevocation ivs:CreateChannel ivs:CreateEncoderConfiguration ivs:CreateIngestConfiguration ivs:CreateParticipantToken ivs:CreatePlaybackRestrictionPolicy ivs:CreateRecordingConfiguration ivs:CreateStorageConfiguration ivs:CreateStreamKey ivs:DeleteChannel ivs:DeleteEncoderConfiguration ivs:DeleteIngestConfiguration ivs:DeletePlaybackKeyPair ivs:DeletePlaybackRestrictionPolicy ivs:DeletePublicKey ivs:DeleteRecordingConfiguration ivs:DeleteStorageConfiguration ivs:DeleteStreamKey ivs:DisconnectParticipant ivs:GetChannel ivs:GetComposition ivs:GetEncoderConfiguration ivs:GetIngestConfiguration ivs:GetParticipant ivs:GetPlaybackKeyPair ivs:GetPlaybackRestrictionPolicy ivs:GetPublicKey ivs:GetRecordingConfiguration ivs:GetStorageConfiguration ivs:GetStream ivs:GetStreamKey ivs:GetStreamSession ivs:ImportPlaybackKeyPair ivs:ImportPublicKey ivs:ListChannels ivs:ListCompositions ivs:ListEncoderConfigurations ivs:ListIngestConfigurations ivs:ListParticipantEvents ivs:ListParticipantReplicas ivs:ListParticipants ivs:ListPlaybackKeyPairs ivs:ListPlaybackRestrictionPolicies ivs:ListPublicKeys ivs:ListRecordingConfigurations ivs:ListStorageConfigurations ivs:ListStreamKeys ivs:ListStreamSessions ivs:ListStreams ivs:PutMetadata ivs:StartComposition ivs:StartViewerSessionRevocation ivs:StopComposition ivs:StopStream ivs:UpdateChannel ivs:UpdateIngestConfiguration ivs:UpdatePlaybackRestrictionPolicy |
| ivschat | ivschat:CreateChatToken ivschat:CreateLoggingConfiguration ivschat:CreateRoom ivschat:DeleteLoggingConfiguration ivschat:DeleteMessage ivschat:DeleteRoom ivschat:DisconnectUser ivschat:GetLoggingConfiguration ivschat:GetRoom ivschat:ListLoggingConfigurations ivschat:ListRooms ivschat:SendEvent ivschat:UpdateLoggingConfiguration ivschat:UpdateRoom |
| kafka | kafka:BatchAssociateScramSecret kafka:BatchDisassociateScramSecret kafka:CreateCluster kafka:CreateClusterV2 kafka:CreateConfiguration kafka:CreateReplicator kafka:CreateVpcConnection kafka:DeleteCluster kafka:DeleteClusterPolicy kafka:DeleteConfiguration kafka:DeleteReplicator kafka:DeleteVpcConnection kafka:DescribeCluster kafka:DescribeClusterOperation kafka:DescribeClusterOperationV2 kafka:DescribeClusterV2 kafka:DescribeConfiguration kafka:DescribeConfigurationRevision kafka:DescribeVpcConnection kafka:GetBootstrapBrokers kafka:GetClusterPolicy kafka:GetCompatibleKafkaVersions kafka:ListClientVpcConnections kafka:ListClusterOperations kafka:ListClusterOperationsV2 kafka:ListClusters kafka:ListClustersV2 kafka:ListConfigurationRevisions kafka:ListConfigurations kafka:ListKafkaVersions kafka:ListNodes kafka:ListReplicators kafka:ListScramSecrets kafka:ListVpcConnections kafka:PutClusterPolicy kafka:RebootBroker kafka:RejectClientVpcConnection kafka:UpdateBrokerCount kafka:UpdateBrokerStorage kafka:UpdateBrokerType kafka:UpdateClusterConfiguration kafka:UpdateClusterKafkaVersion kafka:UpdateConfiguration kafka:UpdateConnectivity kafka:UpdateMonitoring kafka:UpdateRebalancing kafka:UpdateReplicationInfo kafka:UpdateSecurity kafka:UpdateStorage |
| kafkaconnect | kafkaconnect:CreateConnector kafkaconnect:CreateCustomPlugin kafkaconnect:CreateWorkerConfiguration kafkaconnect:DeleteConnector kafkaconnect:DeleteCustomPlugin kafkaconnect:DeleteWorkerConfiguration kafkaconnect:DescribeConnector kafkaconnect:DescribeCustomPlugin kafkaconnect:DescribeWorkerConfiguration kafkaconnect:ListConnectorOperations kafkaconnect:ListConnectors kafkaconnect:ListCustomPlugins kafkaconnect:ListWorkerConfigurations kafkaconnect:UpdateConnector |
| kendra | kendra:AssociateEntitiesToExperience kendra:AssociatePersonasToEntities kendra:BatchDeleteDocument kendra:BatchDeleteFeaturedResultsSet kendra:BatchGetDocumentStatus kendra:BatchPutDocument kendra:ClearQuerySuggestions kendra:CreateAccessControlConfiguration kendra:CreateDataSource kendra:CreateExperience kendra:CreateFaq kendra:CreateFeaturedResultsSet kendra:CreateIndex kendra:CreateQuerySuggestionsBlockList kendra:CreateThesaurus kendra:DeleteDataSource kendra:DeleteExperience kendra:DeleteFaq kendra:DeleteIndex kendra:DeletePrincipalMapping kendra:DeleteQuerySuggestionsBlockList kendra:DeleteThesaurus kendra:DescribeAccessControlConfiguration kendra:DescribeDataSource kendra:DescribeExperience kendra:DescribeFaq kendra:DescribeFeaturedResultsSet kendra:DescribeIndex kendra:DescribePrincipalMapping kendra:DescribeQuerySuggestionsBlockList kendra:DescribeQuerySuggestionsConfig kendra:DescribeThesaurus kendra:DisassociateEntitiesFromExperience kendra:DisassociatePersonasFromEntities kendra:GetQuerySuggestions kendra:GetSnapshots kendra:ListAccessControlConfigurations kendra:ListDataSourceSyncJobs kendra:ListDataSources kendra:ListEntityPersonas kendra:ListExperienceEntities kendra:ListExperiences kendra:ListFaqs kendra:ListFeaturedResultsSets kendra:ListGroupsOlderThanOrderingId kendra:ListIndices kendra:ListQuerySuggestionsBlockLists kendra:ListThesauri kendra:PutPrincipalMapping kendra:Query kendra:Retrieve kendra:StartDataSourceSyncJob kendra:StopDataSourceSyncJob kendra:SubmitFeedback kendra:UpdateDataSource kendra:UpdateExperience kendra:UpdateFeaturedResultsSet kendra:UpdateIndex kendra:UpdateQuerySuggestionsBlockList kendra:UpdateQuerySuggestionsConfig kendra:UpdateThesaurus |
| kinesis | kinesis:CreateStream kinesis:DecreaseStreamRetentionPeriod kinesis:DeleteStream kinesis:DeregisterStreamConsumer kinesis:DescribeAccountSettings kinesis:DescribeLimits kinesis:DescribeStream kinesis:DescribeStreamConsumer kinesis:DescribeStreamSummary kinesis:DisableEnhancedMonitoring kinesis:EnableEnhancedMonitoring kinesis:IncreaseStreamRetentionPeriod kinesis:ListShards kinesis:ListStreamConsumers kinesis:ListStreams kinesis:MergeShards kinesis:RegisterStreamConsumer kinesis:SplitShard kinesis:StartStreamEncryption kinesis:StopStreamEncryption kinesis:UpdateAccountSettings kinesis:UpdateShardCount kinesis:UpdateStreamMode |
| kinesisanalytics | kinesisanalytics:AddApplicationCloudWatchLoggingOption kinesisanalytics:AddApplicationInput kinesisanalytics:AddApplicationInputProcessingConfiguration kinesisanalytics:AddApplicationOutput kinesisanalytics:AddApplicationReferenceDataSource kinesisanalytics:AddApplicationVpcConfiguration kinesisanalytics:CreateApplication kinesisanalytics:CreateApplicationPresignedUrl kinesisanalytics:CreateApplicationSnapshot kinesisanalytics:DeleteApplication kinesisanalytics:DeleteApplicationCloudWatchLoggingOption kinesisanalytics:DeleteApplicationInputProcessingConfiguration kinesisanalytics:DeleteApplicationOutput kinesisanalytics:DeleteApplicationReferenceDataSource kinesisanalytics:DeleteApplicationSnapshot kinesisanalytics:DeleteApplicationVpcConfiguration kinesisanalytics:DescribeApplication kinesisanalytics:DescribeApplicationOperation kinesisanalytics:DescribeApplicationSnapshot kinesisanalytics:DescribeApplicationVersion kinesisanalytics:DiscoverInputSchema kinesisanalytics:ListApplicationOperations kinesisanalytics:ListApplicationSnapshots kinesisanalytics:ListApplicationVersions kinesisanalytics:ListApplications kinesisanalytics:RollbackApplication kinesisanalytics:StartApplication kinesisanalytics:StopApplication kinesisanalytics:UpdateApplication kinesisanalytics:UpdateApplicationMaintenanceConfiguration |
| kms | kms:CancelKeyDeletion kms:ConnectCustomKeyStore kms:CreateAlias kms:CreateCustomKeyStore kms:CreateGrant kms:CreateKey kms:Decrypt kms:DeleteAlias kms:DeleteCustomKeyStore kms:DeleteImportedKeyMaterial kms:DeriveSharedSecret kms:DescribeCustomKeyStores kms:DescribeKey kms:DisableKey kms:DisableKeyRotation kms:DisconnectCustomKeyStore kms:EnableKey kms:EnableKeyRotation kms:Encrypt kms:GenerateDataKey kms:GenerateDataKeyPair kms:GenerateDataKeyPairWithoutPlaintext kms:GenerateDataKeyWithoutPlaintext kms:GenerateMac kms:GenerateRandom kms:GetKeyPolicy kms:GetKeyRotationStatus kms:GetParametersForImport kms:GetPublicKey kms:ImportKeyMaterial kms:ListAliases kms:ListGrants kms:ListKeyPolicies kms:ListKeyRotations kms:ListKeys kms:ListRetirableGrants kms:ReplicateKey kms:RetireGrant kms:RevokeGrant kms:RotateKeyOnDemand kms:ScheduleKeyDeletion kms:Sign kms:UpdateAlias kms:UpdateCustomKeyStore kms:UpdateKeyDescription kms:UpdatePrimaryRegion kms:Verify kms:VerifyMac |
| lambda | lambda:AddLayerVersionPermission lambda:AddPermission lambda:CreateAlias lambda:CreateCodeSigningConfig lambda:CreateEventSourceMapping lambda:CreateFunction lambda:CreateFunctionUrlConfig lambda:DeleteAlias lambda:DeleteCapacityProvider lambda:DeleteCodeSigningConfig lambda:DeleteEventSourceMapping lambda:DeleteFunction lambda:DeleteFunctionCodeSigningConfig lambda:DeleteFunctionConcurrency lambda:DeleteFunctionEventInvokeConfig lambda:DeleteFunctionUrlConfig lambda:DeleteLayerVersion lambda:DeleteProvisionedConcurrencyConfig lambda:GetAccountSettings lambda:GetAlias lambda:GetCapacityProvider lambda:GetCodeSigningConfig lambda:GetEventSourceMapping lambda:GetFunction lambda:GetFunctionCodeSigningConfig lambda:GetFunctionConcurrency lambda:GetFunctionConfiguration lambda:GetFunctionEventInvokeConfig lambda:GetFunctionRecursionConfig lambda:GetFunctionScalingConfig lambda:GetFunctionUrlConfig lambda:GetLayerVersion lambda:GetLayerVersionPolicy lambda:GetPolicy lambda:GetProvisionedConcurrencyConfig lambda:GetRuntimeManagementConfig lambda:ListAliases lambda:ListCapacityProviders lambda:ListCodeSigningConfigs lambda:ListDurableExecutionsByFunction lambda:ListEventSourceMappings lambda:ListFunctionEventInvokeConfigs lambda:ListFunctionUrlConfigs lambda:ListFunctions lambda:ListFunctionsByCodeSigningConfig lambda:ListLayerVersions lambda:ListLayers lambda:ListProvisionedConcurrencyConfigs lambda:ListVersionsByFunction lambda:PublishLayerVersion lambda:PublishVersion lambda:PutFunctionCodeSigningConfig lambda:PutFunctionConcurrency lambda:PutFunctionEventInvokeConfig lambda:PutFunctionRecursionConfig lambda:PutFunctionScalingConfig lambda:PutProvisionedConcurrencyConfig lambda:PutRuntimeManagementConfig lambda:RemoveLayerVersionPermission lambda:RemovePermission lambda:UpdateAlias lambda:UpdateCapacityProvider lambda:UpdateCodeSigningConfig lambda:UpdateEventSourceMapping lambda:UpdateFunctionCode lambda:UpdateFunctionConfiguration lambda:UpdateFunctionEventInvokeConfig lambda:UpdateFunctionUrlConfig |
| lex | lex:BatchCreateCustomVocabularyItem lex:BatchDeleteCustomVocabularyItem lex:BatchUpdateCustomVocabularyItem lex:BuildBotLocale lex:CreateBotAlias lex:CreateBotReplica lex:CreateBotVersion lex:CreateExport lex:CreateIntentVersion lex:CreateResourcePolicy lex:CreateSlotTypeVersion lex:CreateTestSetDiscrepancyReport lex:CreateUploadUrl lex:DeleteBot lex:DeleteBotChannelAssociation lex:DeleteBotReplica lex:DeleteExport lex:DeleteImport lex:DeleteIntentVersion lex:DeleteResourcePolicy lex:DeleteSlotTypeVersion lex:DeleteTestSet lex:DeleteUtterances lex:DescribeBotAlias lex:DescribeBotRecommendation lex:DescribeBotReplica lex:DescribeBotResourceGeneration lex:DescribeBotVersion lex:DescribeCustomVocabularyMetadata lex:DescribeExport lex:DescribeImport lex:DescribeResourcePolicy lex:DescribeTestExecution lex:DescribeTestSet lex:DescribeTestSetDiscrepancyReport lex:DescribeTestSetGeneration lex:GenerateBotElement lex:GetBot lex:GetBotAlias lex:GetBotAliases lex:GetBotChannelAssociation lex:GetBotChannelAssociations lex:GetBotVersions lex:GetBots lex:GetBuiltinIntent lex:GetBuiltinIntents lex:GetBuiltinSlotTypes lex:GetExport lex:GetImport lex:GetIntent lex:GetIntentVersions lex:GetIntents lex:GetMigration lex:GetMigrations lex:GetSlotType lex:GetSlotTypeVersions lex:GetSlotTypes lex:GetTestExecutionArtifactsUrl lex:GetUtterancesView lex:ListBotAliasReplicas lex:ListBotAliases lex:ListBotRecommendations lex:ListBotReplicas lex:ListBotResourceGenerations lex:ListBotVersionReplicas lex:ListBotVersions lex:ListBots lex:ListBuiltInIntents lex:ListBuiltInSlotTypes lex:ListCustomVocabularyItems lex:ListExports lex:ListImports lex:ListIntentMetrics lex:ListIntentPaths lex:ListRecommendedIntents lex:ListSessionAnalyticsData lex:ListSessionMetrics lex:ListTestExecutionResultItems lex:ListTestExecutions lex:ListTestSets lex:PutBot lex:PutBotAlias lex:PutIntent lex:PutSlotType lex:SearchAssociatedTranscripts lex:StartBotRecommendation lex:StartImport lex:StartMigration lex:StartTestExecution lex:StartTestSetGeneration lex:StopBotRecommendation lex:UpdateBotAlias lex:UpdateBotRecommendation lex:UpdateExport lex:UpdateResourcePolicy |
| license-manager-linux-subscriptions | license-manager-linux-subscriptions:DeregisterSubscriptionProvider license-manager-linux-subscriptions:GetRegisteredSubscriptionProvider license-manager-linux-subscriptions:GetServiceSettings license-manager-linux-subscriptions:ListLinuxSubscriptionInstances license-manager-linux-subscriptions:ListLinuxSubscriptions license-manager-linux-subscriptions:ListRegisteredSubscriptionProviders license-manager-linux-subscriptions:RegisterSubscriptionProvider license-manager-linux-subscriptions:UpdateServiceSettings |
| lightsail | lightsail:AllocateStaticIp lightsail:AttachCertificateToDistribution lightsail:AttachDisk lightsail:AttachInstancesToLoadBalancer lightsail:AttachLoadBalancerTlsCertificate lightsail:AttachStaticIp lightsail:CloseInstancePublicPorts lightsail:CopySnapshot lightsail:CreateBucket lightsail:CreateBucketAccessKey lightsail:CreateCertificate lightsail:CreateCloudFormationStack lightsail:CreateContactMethod lightsail:CreateContainerService lightsail:CreateContainerServiceDeployment lightsail:CreateContainerServiceRegistryLogin lightsail:CreateDisk lightsail:CreateDiskFromSnapshot lightsail:CreateDiskSnapshot lightsail:CreateDistribution lightsail:CreateDomain lightsail:CreateGUISessionAccessDetails lightsail:CreateInstanceSnapshot lightsail:CreateInstances lightsail:CreateInstancesFromSnapshot lightsail:CreateKeyPair lightsail:CreateLoadBalancer lightsail:CreateLoadBalancerTlsCertificate lightsail:CreateRelationalDatabase lightsail:CreateRelationalDatabaseFromSnapshot lightsail:CreateRelationalDatabaseSnapshot lightsail:DeleteAlarm lightsail:DeleteAutoSnapshot lightsail:DeleteBucket lightsail:DeleteBucketAccessKey lightsail:DeleteCertificate lightsail:DeleteContactMethod lightsail:DeleteContainerImage lightsail:DeleteContainerService lightsail:DeleteDisk lightsail:DeleteDiskSnapshot lightsail:DeleteDistribution lightsail:DeleteDomain lightsail:DeleteDomainEntry lightsail:DeleteInstance lightsail:DeleteInstanceSnapshot lightsail:DeleteKeyPair lightsail:DeleteKnownHostKeys lightsail:DeleteLoadBalancer lightsail:DeleteLoadBalancerTlsCertificate lightsail:DeleteRelationalDatabase lightsail:DeleteRelationalDatabaseSnapshot lightsail:DetachCertificateFromDistribution lightsail:DetachDisk lightsail:DetachInstancesFromLoadBalancer lightsail:DetachStaticIp lightsail:DisableAddOn lightsail:DownloadDefaultKeyPair lightsail:EnableAddOn lightsail:ExportSnapshot lightsail:GetActiveNames lightsail:GetAlarms lightsail:GetAutoSnapshots lightsail:GetBlueprints lightsail:GetBucketAccessKeys lightsail:GetBucketBundles lightsail:GetBucketMetricData lightsail:GetBuckets lightsail:GetBundles lightsail:GetCertificates lightsail:GetCloudFormationStackRecords lightsail:GetContactMethods lightsail:GetContainerAPIMetadata lightsail:GetContainerImages lightsail:GetContainerLog lightsail:GetContainerServiceDeployments lightsail:GetContainerServiceMetricData lightsail:GetContainerServicePowers lightsail:GetContainerServices lightsail:GetCostEstimate lightsail:GetDisk lightsail:GetDiskSnapshot lightsail:GetDiskSnapshots lightsail:GetDisks lightsail:GetDistributionBundles lightsail:GetDistributionLatestCacheReset lightsail:GetDistributionMetricData lightsail:GetDistributions lightsail:GetDomain lightsail:GetExportSnapshotRecords lightsail:GetInstance lightsail:GetInstanceMetricData lightsail:GetInstancePortStates lightsail:GetInstanceSnapshot lightsail:GetInstanceSnapshots lightsail:GetInstanceState lightsail:GetInstances lightsail:GetKeyPair lightsail:GetKeyPairs lightsail:GetLoadBalancer lightsail:GetLoadBalancerMetricData lightsail:GetLoadBalancerTlsCertificates lightsail:GetLoadBalancerTlsPolicies lightsail:GetLoadBalancers lightsail:GetOperation lightsail:GetOperations lightsail:GetOperationsForResource lightsail:GetRegions lightsail:GetRelationalDatabase lightsail:GetRelationalDatabaseBlueprints lightsail:GetRelationalDatabaseBundles lightsail:GetRelationalDatabaseEvents lightsail:GetRelationalDatabaseLogEvents lightsail:GetRelationalDatabaseLogStreams lightsail:GetRelationalDatabaseMasterUserPassword lightsail:GetRelationalDatabaseMetricData lightsail:GetRelationalDatabaseParameters lightsail:GetRelationalDatabaseSnapshot lightsail:GetRelationalDatabaseSnapshots lightsail:GetRelationalDatabases lightsail:GetSetupHistory lightsail:GetStaticIp lightsail:GetStaticIps lightsail:ImportKeyPair lightsail:IsVpcPeered lightsail:OpenInstancePublicPorts lightsail:PeerVpc lightsail:PutAlarm lightsail:PutInstancePublicPorts lightsail:RebootInstance lightsail:RebootRelationalDatabase lightsail:RegisterContainerImage lightsail:ReleaseStaticIp lightsail:ResetDistributionCache lightsail:SendContactMethodVerification lightsail:SetIpAddressType lightsail:SetResourceAccessForBucket lightsail:SetupInstanceHttps lightsail:StartGUISession lightsail:StartInstance lightsail:StartRelationalDatabase lightsail:StopGUISession lightsail:StopInstance lightsail:StopRelationalDatabase lightsail:TestAlarm lightsail:UnpeerVpc lightsail:UpdateBucket lightsail:UpdateBucketBundle lightsail:UpdateContainerService lightsail:UpdateDistribution lightsail:UpdateDistributionBundle lightsail:UpdateDomainEntry lightsail:UpdateInstanceMetadataOptions lightsail:UpdateLoadBalancerAttribute lightsail:UpdateRelationalDatabase lightsail:UpdateRelationalDatabaseParameters |
| logs | logs:AssociateKmsKey logs:AssociateSourceToS3TableIntegration logs:CancelExportTask logs:CancelImportTask logs:CreateDelivery logs:CreateExportTask logs:CreateLogAnomalyDetector logs:CreateLogGroup logs:CreateLogStream logs:DeleteDataProtectionPolicy logs:DeleteDelivery logs:DeleteDeliveryDestination logs:DeleteDeliveryDestinationPolicy logs:DeleteDeliverySource logs:DeleteDestination logs:DeleteIndexPolicy logs:DeleteIntegration logs:DeleteLogAnomalyDetector logs:DeleteLogGroup logs:DeleteLogStream logs:DeleteMetricFilter logs:DeleteQueryDefinition logs:DeleteResourcePolicy logs:DeleteRetentionPolicy logs:DeleteScheduledQuery logs:DeleteSubscriptionFilter logs:DeleteTransformer logs:DescribeAccountPolicies logs:DescribeConfigurationTemplates logs:DescribeDeliveries logs:DescribeDeliveryDestinations logs:DescribeDeliverySources logs:DescribeDestinations logs:DescribeExportTasks logs:DescribeFieldIndexes logs:DescribeImportTaskBatches logs:DescribeImportTasks logs:DescribeIndexPolicies logs:DescribeLogGroups logs:DescribeLogStreams logs:DescribeMetricFilters logs:DescribeQueries logs:DescribeQueryDefinitions logs:DescribeResourcePolicies logs:DescribeSubscriptionFilters logs:DisassociateKmsKey logs:DisassociateSourceFromS3TableIntegration logs:GetDataProtectionPolicy logs:GetDelivery logs:GetDeliveryDestination logs:GetDeliveryDestinationPolicy logs:GetDeliverySource logs:GetIntegration logs:GetLogAnomalyDetector logs:GetLogFields logs:GetLogGroupFields logs:GetLogRecord logs:GetQueryResults logs:GetScheduledQuery logs:GetScheduledQueryHistory logs:GetTransformer logs:IntegrateWithS3Table logs:ListAnomalies logs:ListIntegrations logs:ListLogAnomalyDetectors logs:ListLogGroupsForQuery logs:ListScheduledQueries logs:ListSourcesForS3TableIntegration logs:ProcessWithPipeline logs:PutDataProtectionPolicy logs:PutDeliveryDestination logs:PutDeliveryDestinationPolicy logs:PutDeliverySource logs:PutDestination logs:PutDestinationPolicy logs:PutIndexPolicy logs:PutIntegration logs:PutLogGroupDeletionProtection logs:PutMetricFilter logs:PutQueryDefinition logs:PutResourcePolicy logs:PutRetentionPolicy logs:PutSubscriptionFilter logs:PutTransformer logs:StartLiveTail logs:StartQuery logs:StopQuery logs:TestMetricFilter logs:TestTransformer logs:UpdateAnomaly logs:UpdateDeliveryConfiguration logs:UpdateLogAnomalyDetector |
| lookoutequipment | lookoutequipment:CreateDataset lookoutequipment:CreateInferenceScheduler lookoutequipment:CreateLabel lookoutequipment:CreateLabelGroup lookoutequipment:CreateModel lookoutequipment:DeleteDataset lookoutequipment:DeleteInferenceScheduler lookoutequipment:DeleteLabel lookoutequipment:DeleteLabelGroup lookoutequipment:DeleteModel lookoutequipment:DeleteResourcePolicy lookoutequipment:DeleteRetrainingScheduler lookoutequipment:DescribeDataIngestionJob lookoutequipment:DescribeDataset lookoutequipment:DescribeInferenceScheduler lookoutequipment:DescribeLabelGroup lookoutequipment:DescribeModel lookoutequipment:DescribeModelVersion lookoutequipment:DescribeResourcePolicy lookoutequipment:DescribeRetrainingScheduler lookoutequipment:Describelabel lookoutequipment:ImportDataset lookoutequipment:ImportModelVersion lookoutequipment:ListDataIngestionJobs lookoutequipment:ListDatasets lookoutequipment:ListInferenceEvents lookoutequipment:ListInferenceExecutions lookoutequipment:ListInferenceSchedulers lookoutequipment:ListLabelGroups lookoutequipment:ListLabels lookoutequipment:ListModelVersions lookoutequipment:ListModels lookoutequipment:ListRetrainingSchedulers lookoutequipment:ListSensorStatistics lookoutequipment:PutResourcePolicy lookoutequipment:StartDataIngestionJob lookoutequipment:StartInferenceScheduler lookoutequipment:StartRetrainingScheduler lookoutequipment:StopInferenceScheduler lookoutequipment:StopRetrainingScheduler lookoutequipment:UpdateActiveModelVersion lookoutequipment:UpdateInferenceScheduler lookoutequipment:UpdateLabelGroup lookoutequipment:UpdateModel lookoutequipment:UpdateRetrainingScheduler |
| lookoutmetrics | lookoutmetrics:ActivateAnomalyDetector lookoutmetrics:BackTestAnomalyDetector lookoutmetrics:CreateAlert lookoutmetrics:CreateAnomalyDetector lookoutmetrics:CreateMetricSet lookoutmetrics:DeactivateAnomalyDetector lookoutmetrics:DeleteAlert lookoutmetrics:DeleteAnomalyDetector lookoutmetrics:DescribeAlert lookoutmetrics:DescribeAnomalyDetectionExecutions lookoutmetrics:DescribeAnomalyDetector lookoutmetrics:DescribeMetricSet lookoutmetrics:DetectMetricSetConfig lookoutmetrics:GetAnomalyGroup lookoutmetrics:GetDataQualityMetrics lookoutmetrics:GetFeedback lookoutmetrics:GetSampleData lookoutmetrics:ListAlerts lookoutmetrics:ListAnomalyDetectors lookoutmetrics:ListAnomalyGroupRelatedMetrics lookoutmetrics:ListAnomalyGroupSummaries lookoutmetrics:ListAnomalyGroupTimeSeries lookoutmetrics:ListMetricSets lookoutmetrics:PutFeedback lookoutmetrics:UpdateAlert lookoutmetrics:UpdateAnomalyDetector lookoutmetrics:UpdateMetricSet |
| lookoutvision | lookoutvision:CreateDataset lookoutvision:CreateModel lookoutvision:CreateProject lookoutvision:DeleteDataset lookoutvision:DeleteModel lookoutvision:DeleteProject lookoutvision:DescribeDataset lookoutvision:DescribeModel lookoutvision:DescribeModelPackagingJob lookoutvision:DescribeProject lookoutvision:DetectAnomalies lookoutvision:ListDatasetEntries lookoutvision:ListModelPackagingJobs lookoutvision:ListModels lookoutvision:ListProjects lookoutvision:StartModel lookoutvision:StartModelPackagingJob lookoutvision:StopModel lookoutvision:UpdateDatasetEntries |
| m2 | m2:CancelBatchJobExecution m2:CreateApplication m2:CreateDataSetExportTask m2:CreateDataSetImportTask m2:CreateDeployment m2:CreateEnvironment m2:DeleteApplication m2:DeleteApplicationFromEnvironment m2:DeleteEnvironment m2:GetApplication m2:GetApplicationVersion m2:GetBatchJobExecution m2:GetDataSetDetails m2:GetDataSetExportTask m2:GetDataSetImportTask m2:GetDeployment m2:GetEnvironment m2:GetSignedBluinsightsUrl m2:ListApplicationVersions m2:ListApplications m2:ListBatchJobDefinitions m2:ListBatchJobExecutions m2:ListBatchJobRestartPoints m2:ListDataSetExportHistory m2:ListDataSetImportHistory m2:ListDataSets m2:ListDeployments m2:ListEngineVersions m2:ListEnvironments m2:StartApplication m2:StartBatchJob m2:StopApplication m2:UpdateApplication m2:UpdateEnvironment |
| managedblockchain | managedblockchain:CreateAccessor managedblockchain:CreateMember managedblockchain:CreateNetwork managedblockchain:CreateNode managedblockchain:CreateProposal managedblockchain:DeleteAccessor managedblockchain:DeleteMember managedblockchain:DeleteNode managedblockchain:GetAccessor managedblockchain:GetMember managedblockchain:GetNetwork managedblockchain:GetNode managedblockchain:GetProposal managedblockchain:InvokeRpcPolygonMainnet managedblockchain:InvokeRpcPolygonMumbaiTestnet managedblockchain:ListAccessors managedblockchain:ListInvitations managedblockchain:ListMembers managedblockchain:ListNetworks managedblockchain:ListNodes managedblockchain:ListProposalVotes managedblockchain:ListProposals managedblockchain:RejectInvitation managedblockchain:UpdateMember managedblockchain:UpdateNode managedblockchain:VoteOnProposal |
| mediaconnect | mediaconnect:AddBridgeOutputs mediaconnect:AddBridgeSources mediaconnect:AddFlowMediaStreams mediaconnect:AddFlowOutputs mediaconnect:AddFlowSources mediaconnect:AddFlowVpcInterfaces mediaconnect:CreateBridge mediaconnect:CreateFlow mediaconnect:CreateGateway mediaconnect:DeleteBridge mediaconnect:DeleteFlow mediaconnect:DeleteGateway mediaconnect:DeleteRouterInput mediaconnect:DeleteRouterNetworkInterface mediaconnect:DeleteRouterOutput mediaconnect:DeregisterGatewayInstance mediaconnect:DescribeBridge mediaconnect:DescribeFlow mediaconnect:DescribeFlowSourceMetadata mediaconnect:DescribeFlowSourceThumbnail mediaconnect:DescribeGateway mediaconnect:DescribeGatewayInstance mediaconnect:DescribeOffering mediaconnect:DescribeReservation mediaconnect:GetRouterInput mediaconnect:GetRouterInputSourceMetadata mediaconnect:GetRouterInputThumbnail mediaconnect:GetRouterNetworkInterface mediaconnect:GetRouterOutput mediaconnect:GrantFlowEntitlements mediaconnect:ListBridges mediaconnect:ListEntitlements mediaconnect:ListFlows mediaconnect:ListGatewayInstances mediaconnect:ListGateways mediaconnect:ListOfferings mediaconnect:ListReservations mediaconnect:ListRouterInputs mediaconnect:ListRouterNetworkInterfaces mediaconnect:ListRouterOutputs mediaconnect:PurchaseOffering mediaconnect:RemoveBridgeOutput mediaconnect:RemoveBridgeSource mediaconnect:RemoveFlowMediaStream mediaconnect:RemoveFlowOutput mediaconnect:RemoveFlowSource mediaconnect:RemoveFlowVpcInterface mediaconnect:RestartRouterInput mediaconnect:RestartRouterOutput mediaconnect:RevokeFlowEntitlement mediaconnect:StartFlow mediaconnect:StartRouterInput mediaconnect:StartRouterOutput mediaconnect:StopFlow mediaconnect:StopRouterInput mediaconnect:StopRouterOutput mediaconnect:TakeRouterInput mediaconnect:UpdateBridge mediaconnect:UpdateBridgeOutput mediaconnect:UpdateBridgeSource mediaconnect:UpdateBridgeState mediaconnect:UpdateFlow mediaconnect:UpdateFlowEntitlement mediaconnect:UpdateFlowMediaStream mediaconnect:UpdateGatewayInstance |
| mediaconvert | mediaconvert:AssociateCertificate mediaconvert:CancelJob mediaconvert:CreateJob mediaconvert:CreateJobTemplate mediaconvert:CreatePreset mediaconvert:CreateQueue mediaconvert:CreateResourceShare mediaconvert:DeleteJobTemplate mediaconvert:DeletePolicy mediaconvert:DeletePreset mediaconvert:DeleteQueue mediaconvert:DescribeEndpoints mediaconvert:DisassociateCertificate mediaconvert:GetJob mediaconvert:GetJobTemplate mediaconvert:GetPolicy mediaconvert:GetPreset mediaconvert:GetQueue mediaconvert:ListJobTemplates mediaconvert:ListJobs mediaconvert:ListPresets mediaconvert:ListQueues mediaconvert:ListVersions mediaconvert:Probe mediaconvert:PutPolicy mediaconvert:SearchJobs mediaconvert:UpdateJobTemplate mediaconvert:UpdatePreset mediaconvert:UpdateQueue |
| medialive | medialive:AcceptInputDeviceTransfer medialive:BatchDelete medialive:BatchStart medialive:BatchStop medialive:BatchUpdateSchedule medialive:CancelInputDeviceTransfer medialive:ClaimDevice medialive:CreateChannel medialive:CreateChannelPlacementGroup medialive:CreateCloudWatchAlarmTemplate medialive:CreateCloudWatchAlarmTemplateGroup medialive:CreateCluster medialive:CreateEventBridgeRuleTemplate medialive:CreateEventBridgeRuleTemplateGroup medialive:CreateInput medialive:CreateInputSecurityGroup medialive:CreateMultiplex medialive:CreateMultiplexProgram medialive:CreateNetwork medialive:CreateNode medialive:CreateNodeRegistrationScript medialive:CreatePartnerInput medialive:CreateSdiSource medialive:CreateSignalMap medialive:DeleteChannel medialive:DeleteChannelPlacementGroup medialive:DeleteCloudWatchAlarmTemplate medialive:DeleteCloudWatchAlarmTemplateGroup medialive:DeleteCluster medialive:DeleteEventBridgeRuleTemplate medialive:DeleteEventBridgeRuleTemplateGroup medialive:DeleteInput medialive:DeleteInputSecurityGroup medialive:DeleteMultiplex medialive:DeleteMultiplexProgram medialive:DeleteNetwork medialive:DeleteNode medialive:DeleteReservation medialive:DeleteSchedule medialive:DeleteSdiSource medialive:DeleteSignalMap medialive:DescribeAccountConfiguration medialive:DescribeChannel medialive:DescribeChannelPlacementGroup medialive:DescribeCluster medialive:DescribeInput medialive:DescribeInputDevice medialive:DescribeInputDeviceThumbnail medialive:DescribeInputSecurityGroup medialive:DescribeMultiplex medialive:DescribeMultiplexProgram medialive:DescribeNetwork medialive:DescribeNode medialive:DescribeOffering medialive:DescribeReservation medialive:DescribeSchedule medialive:DescribeSdiSource medialive:DescribeThumbnails medialive:GetCloudWatchAlarmTemplate medialive:GetCloudWatchAlarmTemplateGroup medialive:GetEventBridgeRuleTemplate medialive:GetEventBridgeRuleTemplateGroup medialive:GetSignalMap medialive:ListAlerts medialive:ListChannelPlacementGroups medialive:ListChannels medialive:ListCloudWatchAlarmTemplateGroups medialive:ListCloudWatchAlarmTemplates medialive:ListClusterAlerts medialive:ListClusters medialive:ListEventBridgeRuleTemplateGroups medialive:ListEventBridgeRuleTemplates medialive:ListInputDeviceTransfers medialive:ListInputDevices medialive:ListInputSecurityGroups medialive:ListInputs medialive:ListMultiplexAlerts medialive:ListMultiplexPrograms medialive:ListMultiplexes medialive:ListNetworks medialive:ListNodes medialive:ListOfferings medialive:ListReservations medialive:ListSdiSources medialive:ListSignalMaps medialive:ListVersions medialive:PurchaseOffering medialive:RebootInputDevice medialive:RejectInputDeviceTransfer medialive:RestartChannelPipelines medialive:StartChannel medialive:StartDeleteMonitorDeployment medialive:StartInputDevice medialive:StartInputDeviceMaintenanceWindow medialive:StartMonitorDeployment medialive:StartMultiplex medialive:StartUpdateSignalMap medialive:StopChannel medialive:StopInputDevice medialive:StopMultiplex medialive:TransferInputDevice medialive:UpdateAccountConfiguration medialive:UpdateChannel medialive:UpdateChannelClass medialive:UpdateChannelPlacementGroup medialive:UpdateCloudWatchAlarmTemplate medialive:UpdateCloudWatchAlarmTemplateGroup medialive:UpdateCluster medialive:UpdateEventBridgeRuleTemplate medialive:UpdateEventBridgeRuleTemplateGroup medialive:UpdateInput medialive:UpdateInputDevice medialive:UpdateInputSecurityGroup medialive:UpdateMultiplex medialive:UpdateMultiplexProgram medialive:UpdateNetwork medialive:UpdateNode medialive:UpdateNodeState medialive:UpdateReservation medialive:UpdateSdiSource |
| mediastore | mediastore:CreateContainer mediastore:DeleteContainer mediastore:DeleteContainerPolicy mediastore:DeleteCorsPolicy mediastore:DeleteLifecyclePolicy mediastore:DeleteMetricPolicy mediastore:DescribeContainer mediastore:GetContainerPolicy mediastore:GetCorsPolicy mediastore:GetLifecyclePolicy mediastore:GetMetricPolicy mediastore:ListContainers mediastore:PutContainerPolicy mediastore:PutCorsPolicy mediastore:PutLifecyclePolicy mediastore:PutMetricPolicy mediastore:StartAccessLogging mediastore:StopAccessLogging |
| mediatailor | mediatailor:ConfigureLogsForPlaybackConfiguration mediatailor:CreateChannel mediatailor:CreateLiveSource mediatailor:CreatePrefetchSchedule mediatailor:CreateProgram mediatailor:CreateSourceLocation mediatailor:CreateVodSource mediatailor:DeleteChannel mediatailor:DeleteChannelPolicy mediatailor:DeleteLiveSource mediatailor:DeletePlaybackConfiguration mediatailor:DeletePrefetchSchedule mediatailor:DeleteProgram mediatailor:DeleteSourceLocation mediatailor:DeleteVodSource mediatailor:DescribeChannel mediatailor:DescribeLiveSource mediatailor:DescribeProgram mediatailor:DescribeSourceLocation mediatailor:DescribeVodSource mediatailor:GetChannelPolicy mediatailor:GetChannelSchedule mediatailor:GetPlaybackConfiguration mediatailor:GetPrefetchSchedule mediatailor:ListAlerts mediatailor:ListChannels mediatailor:ListLiveSources mediatailor:ListPlaybackConfigurations mediatailor:ListPrefetchSchedules mediatailor:ListSourceLocations mediatailor:ListVodSources mediatailor:PutChannelPolicy mediatailor:PutPlaybackConfiguration mediatailor:StartChannel mediatailor:StopChannel mediatailor:UpdateChannel mediatailor:UpdateLiveSource mediatailor:UpdateProgram mediatailor:UpdateSourceLocation mediatailor:UpdateVodSource |
| memorydb | memorydb:BatchUpdateCluster memorydb:CopySnapshot memorydb:CreateAcl memorydb:CreateCluster memorydb:CreateMultiRegionCluster memorydb:CreateParameterGroup memorydb:CreateSnapshot memorydb:CreateSubnetGroup memorydb:CreateUser memorydb:DeleteAcl memorydb:DeleteCluster memorydb:DeleteMultiRegionCluster memorydb:DeleteParameterGroup memorydb:DeleteSnapshot memorydb:DeleteSubnetGroup memorydb:DeleteUser memorydb:DescribeAcls memorydb:DescribeClusters memorydb:DescribeEngineVersions memorydb:DescribeEvents memorydb:DescribeMultiRegionClusters memorydb:DescribeMultiRegionParameterGroups memorydb:DescribeMultiRegionParameters memorydb:DescribeParameterGroups memorydb:DescribeParameters memorydb:DescribeReservedNodes memorydb:DescribeReservedNodesOfferings memorydb:DescribeServiceUpdates memorydb:DescribeSnapshots memorydb:DescribeSubnetGroups memorydb:DescribeUsers memorydb:FailoverShard memorydb:ListAllowedMultiRegionClusterUpdates memorydb:ListAllowedNodeTypeUpdates memorydb:PurchaseReservedNodesOffering memorydb:ResetParameterGroup memorydb:UpdateAcl memorydb:UpdateCluster memorydb:UpdateMultiRegionCluster memorydb:UpdateParameterGroup memorydb:UpdateSubnetGroup memorydb:UpdateUser |
| mgh | mgh:AssociateCreatedArtifact mgh:AssociateDiscoveredResource mgh:AssociateSourceResource mgh:CreateHomeRegionControl mgh:CreateProgressUpdateStream mgh:DeleteHomeRegionControl mgh:DeleteProgressUpdateStream mgh:DescribeApplicationState mgh:DescribeHomeRegionControls mgh:DescribeMigrationTask mgh:DisassociateCreatedArtifact mgh:DisassociateDiscoveredResource mgh:DisassociateSourceResource mgh:GetHomeRegion mgh:ImportMigrationTask mgh:ListApplicationStates mgh:ListCreatedArtifacts mgh:ListDiscoveredResources mgh:ListMigrationTaskUpdates mgh:ListMigrationTasks mgh:ListProgressUpdateStreams mgh:ListSourceResources mgh:NotifyApplicationState mgh:NotifyMigrationTaskState mgh:PutResourceAttributes |
| mgn | mgn:ArchiveApplication mgn:ArchiveWave mgn:AssociateApplications mgn:AssociateSourceServers mgn:ChangeServerLifeCycleState mgn:CreateApplication mgn:CreateConnector mgn:CreateLaunchConfigurationTemplate mgn:CreateReplicationConfigurationTemplate mgn:CreateWave mgn:DeleteApplication mgn:DeleteConnector mgn:DeleteJob mgn:DeleteLaunchConfigurationTemplate mgn:DeleteReplicationConfigurationTemplate mgn:DeleteSourceServer mgn:DeleteVcenterClient mgn:DeleteWave mgn:DescribeJobLogItems mgn:DescribeJobs mgn:DescribeLaunchConfigurationTemplates mgn:DescribeReplicationConfigurationTemplates mgn:DescribeVcenterClients mgn:DisassociateApplications mgn:DisassociateSourceServers mgn:DisconnectFromService mgn:FinalizeCutover mgn:GetReplicationConfiguration mgn:InitializeService mgn:ListConnectors mgn:ListExportErrors mgn:ListExports mgn:ListImportErrors mgn:ListImports mgn:ListManagedAccounts mgn:ListSourceServerActions mgn:ListTemplateActions mgn:MarkAsArchived mgn:PauseReplication mgn:PutSourceServerAction mgn:PutTemplateAction mgn:RemoveSourceServerAction mgn:RemoveTemplateAction mgn:ResumeReplication mgn:RetryDataReplication mgn:StartCutover mgn:StartExport mgn:StartImport mgn:StartReplication mgn:StartTest mgn:StopReplication mgn:TerminateTargetInstances mgn:UnarchiveApplication mgn:UnarchiveWave mgn:UpdateApplication mgn:UpdateConnector mgn:UpdateLaunchConfigurationTemplate mgn:UpdateReplicationConfiguration mgn:UpdateReplicationConfigurationTemplate mgn:UpdateSourceServer mgn:UpdateSourceServerReplicationType mgn:UpdateWave |
| migrationhub-strategy | migrationhub-strategy:GetAntiPattern migrationhub-strategy:GetApplicationComponentDetails migrationhub-strategy:GetApplicationComponentStrategies migrationhub-strategy:GetAssessment migrationhub-strategy:GetImportFileTask migrationhub-strategy:GetLatestAssessmentId migrationhub-strategy:GetMessage migrationhub-strategy:GetPortfolioPreferences migrationhub-strategy:GetPortfolioSummary migrationhub-strategy:GetRecommendationReportDetails migrationhub-strategy:GetServerDetails migrationhub-strategy:GetServerStrategies migrationhub-strategy:ListAnalyzableServers migrationhub-strategy:ListAntiPatterns migrationhub-strategy:ListApplicationComponents migrationhub-strategy:ListCollectors migrationhub-strategy:ListImportFileTask migrationhub-strategy:ListJarArtifacts migrationhub-strategy:ListServers migrationhub-strategy:PutLogData migrationhub-strategy:PutMetricData migrationhub-strategy:PutPortfolioPreferences migrationhub-strategy:RegisterCollector migrationhub-strategy:SendMessage migrationhub-strategy:StartAssessment migrationhub-strategy:StartImportFileTask migrationhub-strategy:StartRecommendationReportGeneration migrationhub-strategy:StopAssessment migrationhub-strategy:UpdateApplicationComponentConfig migrationhub-strategy:UpdateCollectorConfiguration migrationhub-strategy:UpdateServerConfig |
| mobiletargeting | mobiletargeting:CreateApp mobiletargeting:CreateCampaign mobiletargeting:CreateEmailTemplate mobiletargeting:CreateExportJob mobiletargeting:CreateImportJob mobiletargeting:CreateInAppTemplate mobiletargeting:CreateJourney mobiletargeting:CreatePushTemplate mobiletargeting:CreateRecommenderConfiguration mobiletargeting:CreateSegment mobiletargeting:CreateSmsTemplate mobiletargeting:CreateVoiceTemplate mobiletargeting:DeleteAdmChannel mobiletargeting:DeleteApnsChannel mobiletargeting:DeleteApnsSandboxChannel mobiletargeting:DeleteApnsVoipChannel mobiletargeting:DeleteApnsVoipSandboxChannel mobiletargeting:DeleteApp mobiletargeting:DeleteBaiduChannel mobiletargeting:DeleteCampaign mobiletargeting:DeleteEmailChannel mobiletargeting:DeleteEmailTemplate mobiletargeting:DeleteEndpoint mobiletargeting:DeleteEventStream mobiletargeting:DeleteGcmChannel mobiletargeting:DeleteInAppTemplate mobiletargeting:DeleteJourney mobiletargeting:DeletePushTemplate mobiletargeting:DeleteRecommenderConfiguration mobiletargeting:DeleteSegment mobiletargeting:DeleteSmsChannel mobiletargeting:DeleteSmsTemplate mobiletargeting:DeleteUserEndpoints mobiletargeting:DeleteVoiceChannel mobiletargeting:DeleteVoiceTemplate mobiletargeting:GetAdmChannel mobiletargeting:GetApnsChannel mobiletargeting:GetApnsSandboxChannel mobiletargeting:GetApnsVoipChannel mobiletargeting:GetApnsVoipSandboxChannel mobiletargeting:GetApp mobiletargeting:GetApplicationDateRangeKpi mobiletargeting:GetApplicationSettings mobiletargeting:GetApps mobiletargeting:GetBaiduChannel mobiletargeting:GetCampaign mobiletargeting:GetCampaignActivities mobiletargeting:GetCampaignDateRangeKpi mobiletargeting:GetCampaignVersion mobiletargeting:GetCampaignVersions mobiletargeting:GetCampaigns mobiletargeting:GetChannels mobiletargeting:GetEmailChannel mobiletargeting:GetEmailTemplate mobiletargeting:GetEndpoint mobiletargeting:GetEventStream mobiletargeting:GetExportJob mobiletargeting:GetExportJobs mobiletargeting:GetGcmChannel mobiletargeting:GetImportJob mobiletargeting:GetImportJobs mobiletargeting:GetInAppMessages mobiletargeting:GetInAppTemplate mobiletargeting:GetJourney mobiletargeting:GetJourneyDateRangeKpi mobiletargeting:GetJourneyExecutionActivityMetrics mobiletargeting:GetJourneyExecutionMetrics mobiletargeting:GetJourneyRunExecutionActivityMetrics mobiletargeting:GetJourneyRunExecutionMetrics mobiletargeting:GetJourneyRuns mobiletargeting:GetPushTemplate mobiletargeting:GetRecommenderConfiguration mobiletargeting:GetRecommenderConfigurations mobiletargeting:GetSegment mobiletargeting:GetSegmentExportJobs mobiletargeting:GetSegmentImportJobs mobiletargeting:GetSegmentVersion mobiletargeting:GetSegmentVersions mobiletargeting:GetSegments mobiletargeting:GetSmsChannel mobiletargeting:GetSmsTemplate mobiletargeting:GetUserEndpoints mobiletargeting:GetVoiceChannel mobiletargeting:GetVoiceTemplate mobiletargeting:ListJourneys mobiletargeting:ListTemplateVersions mobiletargeting:ListTemplates mobiletargeting:PhoneNumberValidate mobiletargeting:PutEventStream mobiletargeting:RemoveAttributes mobiletargeting:UpdateAdmChannel mobiletargeting:UpdateApnsChannel mobiletargeting:UpdateApnsSandboxChannel mobiletargeting:UpdateApnsVoipChannel mobiletargeting:UpdateApnsVoipSandboxChannel mobiletargeting:UpdateApplicationSettings mobiletargeting:UpdateBaiduChannel mobiletargeting:UpdateCampaign mobiletargeting:UpdateEmailChannel mobiletargeting:UpdateEmailTemplate mobiletargeting:UpdateEndpoint mobiletargeting:UpdateEndpointsBatch mobiletargeting:UpdateGcmChannel mobiletargeting:UpdateInAppTemplate mobiletargeting:UpdateJourney mobiletargeting:UpdateJourneyState mobiletargeting:UpdatePushTemplate mobiletargeting:UpdateRecommenderConfiguration mobiletargeting:UpdateSegment mobiletargeting:UpdateSmsChannel mobiletargeting:UpdateSmsTemplate mobiletargeting:UpdateTemplateActiveVersion mobiletargeting:UpdateVoiceChannel mobiletargeting:UpdateVoiceTemplate mobiletargeting:VerifyOTPMessage |
| mq | mq:CreateBroker mq:CreateConfiguration mq:CreateUser mq:DeleteBroker mq:DeleteConfiguration mq:DeleteUser mq:DescribeBroker mq:DescribeBrokerEngineTypes mq:DescribeBrokerInstanceOptions mq:DescribeConfiguration mq:DescribeConfigurationRevision mq:DescribeUser mq:ListBrokers mq:ListConfigurationRevisions mq:ListConfigurations mq:ListUsers mq:Promote mq:RebootBroker mq:UpdateBroker mq:UpdateConfiguration mq:UpdateUser |
| networkmanager | networkmanager:AcceptAttachment networkmanager:AssociateConnectPeer networkmanager:AssociateCustomerGateway networkmanager:AssociateLink networkmanager:AssociateTransitGatewayConnectPeer networkmanager:CreateConnectAttachment networkmanager:CreateConnectPeer networkmanager:CreateConnection networkmanager:CreateCoreNetwork networkmanager:CreateDevice networkmanager:CreateDirectConnectGatewayAttachment networkmanager:CreateGlobalNetwork networkmanager:CreateLink networkmanager:CreateSite networkmanager:CreateSiteToSiteVpnAttachment networkmanager:CreateTransitGatewayPeering networkmanager:CreateTransitGatewayRouteTableAttachment networkmanager:CreateVpcAttachment networkmanager:DeleteAttachment networkmanager:DeleteConnectPeer networkmanager:DeleteConnection networkmanager:DeleteCoreNetwork networkmanager:DeleteCoreNetworkPolicyVersion networkmanager:DeleteDevice networkmanager:DeleteGlobalNetwork networkmanager:DeleteLink networkmanager:DeletePeering networkmanager:DeleteResourcePolicy networkmanager:DeleteSite networkmanager:DeregisterTransitGateway networkmanager:DescribeGlobalNetworks networkmanager:DisassociateConnectPeer networkmanager:DisassociateCustomerGateway networkmanager:DisassociateLink networkmanager:DisassociateTransitGatewayConnectPeer networkmanager:ExecuteCoreNetworkChangeSet networkmanager:GetConnectAttachment networkmanager:GetConnectPeer networkmanager:GetConnectPeerAssociations networkmanager:GetConnections networkmanager:GetCoreNetwork networkmanager:GetCoreNetworkChangeEvents networkmanager:GetCoreNetworkChangeSet networkmanager:GetCoreNetworkPolicy networkmanager:GetCustomerGatewayAssociations networkmanager:GetDevices networkmanager:GetLinkAssociations networkmanager:GetLinks networkmanager:GetNetworkResourceCounts networkmanager:GetNetworkResourceRelationships networkmanager:GetNetworkResources networkmanager:GetNetworkRoutes networkmanager:GetNetworkTelemetry networkmanager:GetResourcePolicy networkmanager:GetRouteAnalysis networkmanager:GetSiteToSiteVpnAttachment networkmanager:GetSites networkmanager:GetTransitGatewayConnectPeerAssociations networkmanager:GetTransitGatewayPeering networkmanager:GetTransitGatewayRegistrations networkmanager:GetTransitGatewayRouteTableAttachment networkmanager:GetVpcAttachment networkmanager:ListAttachmentRoutingPolicyAssociations networkmanager:ListAttachments networkmanager:ListConnectPeers networkmanager:ListCoreNetworkPolicyVersions networkmanager:ListCoreNetworkPrefixListAssociations networkmanager:ListCoreNetworkRoutingInformation networkmanager:ListCoreNetworks networkmanager:ListOrganizationServiceAccessStatus networkmanager:ListPeerings networkmanager:PutAttachmentRoutingPolicyLabel networkmanager:PutCoreNetworkPolicy networkmanager:PutResourcePolicy networkmanager:RegisterTransitGateway networkmanager:RejectAttachment networkmanager:RemoveAttachmentRoutingPolicyLabel networkmanager:RestoreCoreNetworkPolicyVersion networkmanager:StartOrganizationServiceAccessUpdate networkmanager:StartRouteAnalysis networkmanager:UpdateConnection networkmanager:UpdateCoreNetwork networkmanager:UpdateDevice networkmanager:UpdateDirectConnectGatewayAttachment networkmanager:UpdateGlobalNetwork networkmanager:UpdateLink networkmanager:UpdateNetworkResourceMetadata networkmanager:UpdateSite networkmanager:UpdateVpcAttachment |
| nimble | nimble:AcceptEulas nimble:CreateLaunchProfile nimble:CreateStreamingImage nimble:CreateStreamingSession nimble:CreateStreamingSessionStream nimble:CreateStudio nimble:CreateStudioComponent nimble:DeleteLaunchProfile nimble:DeleteLaunchProfileMember nimble:DeleteStreamingImage nimble:DeleteStreamingSession nimble:DeleteStudio nimble:DeleteStudioComponent nimble:DeleteStudioMember nimble:GetEula nimble:GetLaunchProfileDetails nimble:GetStreamingImage nimble:GetStreamingSession nimble:GetStreamingSessionBackup nimble:GetStreamingSessionStream nimble:GetStudio nimble:GetStudioComponent nimble:GetStudioMember nimble:ListEulas nimble:ListLaunchProfileMembers nimble:ListLaunchProfiles nimble:ListStreamingImages nimble:ListStreamingSessionBackups nimble:ListStreamingSessions nimble:ListStudioComponents nimble:ListStudioMembers nimble:ListStudios nimble:PutLaunchProfileMembers nimble:PutStudioMembers nimble:StartStreamingSession nimble:StartStudioSSOConfigurationRepair nimble:StopStreamingSession nimble:UpdateLaunchProfile nimble:UpdateLaunchProfileMember nimble:UpdateStreamingImage nimble:UpdateStudio nimble:UpdateStudioComponent |
| omics | omics:AbortMultipartReadSetUpload omics:AcceptShare omics:BatchDeleteReadSet omics:CancelAnnotationImportJob omics:CancelRun omics:CancelVariantImportJob omics:CompleteMultipartReadSetUpload omics:CreateAnnotationStore omics:CreateAnnotationStoreVersion omics:CreateMultipartReadSetUpload omics:CreateReferenceStore omics:CreateRunGroup omics:CreateSequenceStore omics:CreateShare omics:CreateVariantStore omics:CreateWorkflow omics:CreateWorkflowVersion omics:DeleteAnnotationStore omics:DeleteAnnotationStoreVersions omics:DeleteReference omics:DeleteReferenceStore omics:DeleteRun omics:DeleteRunGroup omics:DeleteSequenceStore omics:DeleteShare omics:DeleteVariantStore omics:DeleteWorkflow omics:DeleteWorkflowVersion omics:GetAnnotationImportJob omics:GetAnnotationStore omics:GetAnnotationStoreVersion omics:GetReadSet omics:GetReadSetActivationJob omics:GetReadSetExportJob omics:GetReadSetImportJob omics:GetReadSetMetadata omics:GetReference omics:GetReferenceImportJob omics:GetReferenceMetadata omics:GetReferenceStore omics:GetRun omics:GetRunGroup omics:GetRunTask omics:GetSequenceStore omics:GetShare omics:GetVariantImportJob omics:GetVariantStore omics:GetWorkflow omics:GetWorkflowVersion omics:ListAnnotationImportJobs omics:ListAnnotationStoreVersions omics:ListAnnotationStores omics:ListMultipartReadSetUploads omics:ListReadSetActivationJobs omics:ListReadSetExportJobs omics:ListReadSetImportJobs omics:ListReadSetUploadParts omics:ListReadSets omics:ListReferenceImportJobs omics:ListReferenceStores omics:ListReferences omics:ListRunGroups omics:ListRunTasks omics:ListRuns omics:ListSequenceStores omics:ListShares omics:ListVariantImportJobs omics:ListVariantStores omics:ListWorkflowVersions omics:ListWorkflows omics:StartAnnotationImportJob omics:StartReadSetActivationJob omics:StartReadSetExportJob omics:StartReadSetImportJob omics:StartReferenceImportJob omics:StartRun omics:StartVariantImportJob omics:UpdateAnnotationStore omics:UpdateAnnotationStoreVersion omics:UpdateRunGroup omics:UpdateVariantStore omics:UpdateWorkflow omics:UpdateWorkflowVersion omics:UploadReadSetPart |
| opsworks | opsworks:AssignInstance opsworks:AssignVolume opsworks:AssociateElasticIp opsworks:AttachElasticLoadBalancer opsworks:CloneStack opsworks:CreateApp opsworks:CreateDeployment opsworks:CreateInstance opsworks:CreateLayer opsworks:CreateStack opsworks:CreateUserProfile opsworks:DeleteApp opsworks:DeleteInstance opsworks:DeleteLayer opsworks:DeleteStack opsworks:DeleteUserProfile opsworks:DeregisterEcsCluster opsworks:DeregisterElasticIp opsworks:DeregisterInstance opsworks:DeregisterRdsDbInstance opsworks:DeregisterVolume opsworks:DescribeAgentVersions opsworks:DescribeApps opsworks:DescribeCommands opsworks:DescribeDeployments opsworks:DescribeEcsClusters opsworks:DescribeElasticIps opsworks:DescribeElasticLoadBalancers opsworks:DescribeInstances opsworks:DescribeLayers opsworks:DescribeLoadBasedAutoScaling opsworks:DescribeMyUserProfile opsworks:DescribeOperatingSystems opsworks:DescribePermissions opsworks:DescribeRaidArrays opsworks:DescribeRdsDbInstances opsworks:DescribeServiceErrors opsworks:DescribeStackProvisioningParameters opsworks:DescribeStackSummary opsworks:DescribeStacks opsworks:DescribeTimeBasedAutoScaling opsworks:DescribeUserProfiles opsworks:DescribeVolumes opsworks:DetachElasticLoadBalancer opsworks:DisassociateElasticIp opsworks:GetHostnameSuggestion opsworks:GrantAccess opsworks:RebootInstance opsworks:RegisterEcsCluster opsworks:RegisterElasticIp opsworks:RegisterInstance opsworks:RegisterRdsDbInstance opsworks:RegisterVolume opsworks:SetLoadBasedAutoScaling opsworks:SetPermission opsworks:SetTimeBasedAutoScaling opsworks:StartInstance opsworks:StartStack opsworks:StopInstance opsworks:StopStack opsworks:UnassignInstance opsworks:UnassignVolume opsworks:UpdateApp opsworks:UpdateElasticIp opsworks:UpdateInstance opsworks:UpdateLayer opsworks:UpdateMyUserProfile opsworks:UpdateRdsDbInstance opsworks:UpdateStack opsworks:UpdateUserProfile opsworks:UpdateVolume |
| opsworks-cm | opsworks-cm:AssociateNode opsworks-cm:CreateBackup opsworks-cm:CreateServer opsworks-cm:DeleteBackup opsworks-cm:DeleteServer opsworks-cm:DescribeAccountAttributes opsworks-cm:DescribeBackups opsworks-cm:DescribeEvents opsworks-cm:DescribeNodeAssociationStatus opsworks-cm:DescribeServers opsworks-cm:DisassociateNode opsworks-cm:ExportServerEngineAttribute opsworks-cm:RestoreServer opsworks-cm:StartMaintenance opsworks-cm:UpdateServer opsworks-cm:UpdateServerEngineAttributes |
| organizations | organizations:AcceptHandshake organizations:AttachPolicy organizations:CancelHandshake organizations:CloseAccount organizations:CreateAccount organizations:CreateGovCloudAccount organizations:CreateOrganization organizations:CreateOrganizationalUnit organizations:CreatePolicy organizations:DeclineHandshake organizations:DeleteOrganization organizations:DeleteOrganizationalUnit organizations:DeletePolicy organizations:DeleteResourcePolicy organizations:DeregisterDelegatedAdministrator organizations:DescribeAccount organizations:DescribeCreateAccountStatus organizations:DescribeEffectivePolicy organizations:DescribeHandshake organizations:DescribeOrganization organizations:DescribeOrganizationalUnit organizations:DescribePolicy organizations:DescribeResourcePolicy organizations:DescribeResponsibilityTransfer organizations:DetachPolicy organizations:DisableAWSServiceAccess organizations:DisablePolicyType organizations:EnableAWSServiceAccess organizations:EnableAllFeatures organizations:EnablePolicyType organizations:InviteAccountToOrganization organizations:LeaveOrganization organizations:ListAWSServiceAccessForOrganization organizations:ListAccounts organizations:ListAccountsForParent organizations:ListAccountsWithInvalidEffectivePolicy organizations:ListChildren organizations:ListCreateAccountStatus organizations:ListDelegatedAdministrators organizations:ListDelegatedServicesForAccount organizations:ListHandshakesForAccount organizations:ListHandshakesForOrganization organizations:ListInboundResponsibilityTransfers organizations:ListOrganizationalUnitsForParent organizations:ListOutboundResponsibilityTransfers organizations:ListParents organizations:ListPolicies organizations:ListPoliciesForTarget organizations:ListRoots organizations:ListTargetsForPolicy organizations:MoveAccount organizations:PutResourcePolicy organizations:RegisterDelegatedAdministrator organizations:RemoveAccountFromOrganization organizations:TerminateResponsibilityTransfer organizations:UpdateOrganizationalUnit organizations:UpdatePolicy organizations:UpdateResponsibilityTransfer |
| outposts | outposts:CancelCapacityTask outposts:CancelOrder outposts:CreateOrder outposts:CreateOutpost outposts:CreatePrivateConnectivityConfig outposts:CreateSite outposts:DeleteOutpost outposts:DeleteSite outposts:GetCapacityTask outposts:GetCatalogItem outposts:GetConnection outposts:GetOrder outposts:GetOutpost outposts:GetOutpostBillingInformation outposts:GetOutpostInstanceTypes outposts:GetOutpostSupportedInstanceTypes outposts:GetPrivateConnectivityConfig outposts:GetSite outposts:GetSiteAddress outposts:ListAssetInstances outposts:ListAssets outposts:ListBlockingInstancesForCapacityTask outposts:ListCapacityTasks outposts:ListCatalogItems outposts:ListOrders outposts:ListOutposts outposts:ListSites outposts:StartCapacityTask outposts:StartConnection outposts:UpdateOutpost outposts:UpdateSite outposts:UpdateSiteAddress outposts:UpdateSiteRackPhysicalProperties |
| panorama | panorama:CreateApplicationInstance panorama:CreateJobForDevices panorama:CreateNodeFromTemplateJob panorama:CreatePackage panorama:CreatePackageImportJob panorama:DeleteDevice panorama:DeletePackage panorama:DeregisterPackageVersion panorama:DescribeApplicationInstance panorama:DescribeApplicationInstanceDetails panorama:DescribeDevice panorama:DescribeDeviceJob panorama:DescribeNode panorama:DescribeNodeFromTemplateJob panorama:DescribePackage panorama:DescribePackageImportJob panorama:DescribePackageVersion panorama:ListApplicationInstanceDependencies panorama:ListApplicationInstanceNodeInstances panorama:ListApplicationInstances panorama:ListDevices panorama:ListDevicesJobs panorama:ListNodeFromTemplateJobs panorama:ListNodes panorama:ListPackageImportJobs panorama:ListPackages panorama:ProvisionDevice panorama:RegisterPackageVersion panorama:RemoveApplicationInstance panorama:SignalApplicationInstanceNodeInstances panorama:UpdateDeviceMetadata |
| pi | pi:CreatePerformanceAnalysisReport pi:DeletePerformanceAnalysisReport pi:DescribeDimensionKeys pi:GetDimensionKeyDetails pi:GetPerformanceAnalysisReport pi:GetResourceMetadata pi:GetResourceMetrics pi:ListAvailableResourceDimensions pi:ListAvailableResourceMetrics pi:ListPerformanceAnalysisReports |
| pipes | pipes:CreatePipe pipes:DeletePipe pipes:DescribePipe pipes:ListPipes pipes:StartPipe pipes:StopPipe pipes:UpdatePipe |
| polly | polly:DeleteLexicon polly:DescribeVoices polly:GetLexicon polly:GetSpeechSynthesisTask polly:ListLexicons polly:ListSpeechSynthesisTasks polly:PutLexicon polly:StartSpeechSynthesisTask polly:SynthesizeSpeech |
| profile | profile:AddProfileKey profile:BatchGetCalculatedAttributeForProfile profile:BatchGetProfile profile:CreateCalculatedAttributeDefinition profile:CreateDomain profile:CreateEventStream profile:CreateProfile profile:CreateRecommender profile:CreateSegmentDefinition profile:CreateSegmentEstimate profile:CreateSegmentSnapshot profile:CreateUploadJob profile:DeleteCalculatedAttributeDefinition profile:DeleteDomain profile:DeleteDomainObjectType profile:DeleteEventStream profile:DeleteIntegration profile:DeleteProfile profile:DeleteProfileKey profile:DeleteProfileObject profile:DeleteProfileObjectType profile:DeleteRecommender profile:DeleteSegmentDefinition profile:DeleteWorkflow profile:DetectProfileObjectType profile:GetAutoMergingPreview profile:GetCalculatedAttributeDefinition profile:GetCalculatedAttributeForProfile profile:GetDomain profile:GetDomainObjectType profile:GetEventStream profile:GetIdentityResolutionJob profile:GetIntegration profile:GetMatches profile:GetObjectTypeAttributeStatistics profile:GetProfileObjectType profile:GetProfileObjectTypeTemplate profile:GetProfileRecommendations profile:GetRecommender profile:GetSegmentDefinition profile:GetSegmentEstimate profile:GetSegmentMembership profile:GetSegmentSnapshot profile:GetSimilarProfiles profile:GetUploadJob profile:GetUploadJobPath profile:GetWorkflow profile:GetWorkflowSteps profile:ListAccountIntegrations profile:ListCalculatedAttributeDefinitions profile:ListCalculatedAttributesForProfile profile:ListDomainLayouts profile:ListDomainObjectTypes profile:ListDomains profile:ListEventStreams profile:ListIdentityResolutionJobs profile:ListIntegrations profile:ListObjectTypeAttributeValues profile:ListObjectTypeAttributes profile:ListProfileAttributeValues profile:ListProfileObjectTypeTemplates profile:ListProfileObjectTypes profile:ListProfileObjects profile:ListRecommenderRecipes profile:ListRecommenders profile:ListRuleBasedMatches profile:ListSegmentDefinitions profile:ListUploadJobs profile:ListWorkflows profile:MergeProfiles profile:PutDomainObjectType profile:PutIntegration profile:PutProfileObject profile:PutProfileObjectType profile:SearchProfiles profile:StartRecommender profile:StartUploadJob profile:StopRecommender profile:StopUploadJob profile:UpdateCalculatedAttributeDefinition profile:UpdateDomain profile:UpdateProfile profile:UpdateRecommender |
| qldb | qldb:CancelJournalKinesisStream qldb:CreateLedger qldb:DeleteLedger qldb:DescribeJournalKinesisStream qldb:DescribeJournalS3Export qldb:DescribeLedger qldb:ExportJournalToS3 qldb:GetBlock qldb:GetDigest qldb:GetRevision qldb:ListJournalKinesisStreamsForLedger qldb:ListJournalS3Exports qldb:ListJournalS3ExportsForLedger qldb:ListLedgers qldb:StreamJournalToKinesis qldb:UpdateLedger qldb:UpdateLedgerPermissionsMode |
| ram | ram:AcceptResourceShareInvitation ram:AssociateResourceShare ram:AssociateResourceSharePermission ram:CreatePermission ram:CreatePermissionVersion ram:CreateResourceShare ram:DeletePermission ram:DeletePermissionVersion ram:DeleteResourceShare ram:DisassociateResourceShare ram:DisassociateResourceSharePermission ram:EnableSharingWithAwsOrganization ram:GetPermission ram:GetResourcePolicies ram:GetResourceShareAssociations ram:GetResourceShareInvitations ram:GetResourceShares ram:ListPendingInvitationResources ram:ListPermissionAssociations ram:ListPermissionVersions ram:ListPermissions ram:ListPrincipals ram:ListReplacePermissionAssociationsWork ram:ListResourceSharePermissions ram:ListResourceTypes ram:ListResources ram:PromotePermissionCreatedFromPolicy ram:PromoteResourceShareCreatedFromPolicy ram:RejectResourceShareInvitation ram:ReplacePermissionAssociations ram:SetDefaultPermissionVersion ram:UpdateResourceShare |
| rbin | rbin:CreateRule rbin:DeleteRule rbin:GetRule rbin:ListRules rbin:LockRule rbin:UnlockRule rbin:UpdateRule |
| rds | rds:AddRoleToDBCluster rds:AddRoleToDBInstance rds:AddSourceIdentifierToSubscription rds:ApplyPendingMaintenanceAction rds:AuthorizeDBSecurityGroupIngress rds:BacktrackDBCluster rds:CancelExportTask rds:CopyDBClusterParameterGroup rds:CopyDBClusterSnapshot rds:CopyDBParameterGroup rds:CopyDBSnapshot rds:CopyOptionGroup rds:CreateCustomDBEngineVersion rds:CreateDBClusterParameterGroup rds:CreateDBParameterGroup rds:CreateDBProxy rds:CreateDBProxyEndpoint rds:CreateDBSecurityGroup rds:CreateDBSubnetGroup rds:CreateEventSubscription rds:CreateGlobalCluster rds:CreateOptionGroup rds:DeleteBlueGreenDeployment rds:DeleteDBClusterAutomatedBackup rds:DeleteDBClusterParameterGroup rds:DeleteDBClusterSnapshot rds:DeleteDBInstanceAutomatedBackup rds:DeleteDBParameterGroup rds:DeleteDBProxy rds:DeleteDBProxyEndpoint rds:DeleteDBSecurityGroup rds:DeleteDBSnapshot rds:DeleteDBSubnetGroup rds:DeleteEventSubscription rds:DeleteGlobalCluster rds:DeleteOptionGroup rds:DeregisterDBProxyTargets rds:DescribeAccountAttributes rds:DescribeBlueGreenDeployments rds:DescribeCertificates rds:DescribeDBClusterAutomatedBackups rds:DescribeDBClusterBacktracks rds:DescribeDBClusterEndpoints rds:DescribeDBClusterParameterGroups rds:DescribeDBClusterParameters rds:DescribeDBClusterSnapshotAttributes rds:DescribeDBClusterSnapshots rds:DescribeDBClusters rds:DescribeDBEngineVersions rds:DescribeDBInstanceAutomatedBackups rds:DescribeDBInstances rds:DescribeDBLogFiles rds:DescribeDBMajorEngineVersions rds:DescribeDBParameterGroups rds:DescribeDBParameters rds:DescribeDBProxies rds:DescribeDBProxyEndpoints rds:DescribeDBProxyTargetGroups rds:DescribeDBProxyTargets rds:DescribeDBRecommendations rds:DescribeDBSecurityGroups rds:DescribeDBSnapshotAttributes rds:DescribeDBSnapshotTenantDatabases rds:DescribeDBSnapshots rds:DescribeDBSubnetGroups rds:DescribeEngineDefaultClusterParameters rds:DescribeEngineDefaultParameters rds:DescribeEventCategories rds:DescribeEventSubscriptions rds:DescribeEvents rds:DescribeExportTasks rds:DescribeGlobalClusters rds:DescribeIntegrations rds:DescribeOptionGroupOptions rds:DescribeOptionGroups rds:DescribeOrderableDBInstanceOptions rds:DescribePendingMaintenanceActions rds:DescribeReservedDBInstances rds:DescribeReservedDBInstancesOfferings rds:DescribeSourceRegions rds:DescribeTenantDatabases rds:DescribeValidDBInstanceModifications rds:DownloadCompleteDBLogFile rds:DownloadDBLogFilePortion rds:FailoverDBCluster rds:FailoverGlobalCluster rds:ModifyActivityStream rds:ModifyCertificates rds:ModifyCurrentDBClusterCapacity rds:ModifyDBClusterEndpoint rds:ModifyDBClusterParameterGroup rds:ModifyDBClusterSnapshotAttribute rds:ModifyDBParameterGroup rds:ModifyDBProxy rds:ModifyDBProxyEndpoint rds:ModifyDBProxyTargetGroup rds:ModifyDBRecommendation rds:ModifyDBSnapshot rds:ModifyDBSnapshotAttribute rds:ModifyDBSubnetGroup rds:ModifyEventSubscription rds:ModifyGlobalCluster rds:ModifyOptionGroup rds:ModifyTenantDatabase rds:PurchaseReservedDBInstancesOffering rds:RebootDBCluster rds:RegisterDBProxyTargets rds:RemoveFromGlobalCluster rds:RemoveRoleFromDBCluster rds:RemoveRoleFromDBInstance rds:RemoveSourceIdentifierFromSubscription rds:ResetDBClusterParameterGroup rds:ResetDBParameterGroup rds:RestoreDBClusterFromS3 rds:RestoreDBClusterFromSnapshot rds:RestoreDBClusterToPointInTime rds:RestoreDBInstanceFromDBSnapshot rds:RestoreDBInstanceFromS3 rds:RestoreDBInstanceToPointInTime rds:RevokeDBSecurityGroupIngress rds:StartActivityStream rds:StartDBCluster rds:StartDBInstance rds:StartDBInstanceAutomatedBackupsReplication rds:StartExportTask rds:StopActivityStream rds:StopDBCluster rds:StopDBInstance rds:StopDBInstanceAutomatedBackupsReplication rds:SwitchoverBlueGreenDeployment rds:SwitchoverGlobalCluster rds:SwitchoverReadReplica |
| redshift | redshift:AcceptReservedNodeExchange redshift:AddPartner redshift:AssociateDataShareConsumer redshift:AuthorizeClusterSecurityGroupIngress redshift:AuthorizeDataShare redshift:AuthorizeEndpointAccess redshift:AuthorizeSnapshotAccess redshift:BatchDeleteClusterSnapshots redshift:BatchModifyClusterSnapshots redshift:CancelQuery redshift:CancelResize redshift:CopyClusterSnapshot redshift:CreateAuthenticationProfile redshift:CreateCluster redshift:CreateClusterParameterGroup redshift:CreateClusterSecurityGroup redshift:CreateClusterSnapshot redshift:CreateClusterSubnetGroup redshift:CreateCustomDomainAssociation redshift:CreateEndpointAccess redshift:CreateEventSubscription redshift:CreateHsmClientCertificate redshift:CreateHsmConfiguration redshift:CreateIntegration redshift:CreateRedshiftIdcApplication redshift:CreateScheduledAction redshift:CreateSnapshotCopyGrant redshift:CreateSnapshotSchedule redshift:CreateUsageLimit redshift:DeauthorizeDataShare redshift:DeleteAuthenticationProfile redshift:DeleteCluster redshift:DeleteClusterParameterGroup redshift:DeleteClusterSecurityGroup redshift:DeleteClusterSnapshot redshift:DeleteClusterSubnetGroup redshift:DeleteCustomDomainAssociation redshift:DeleteEndpointAccess redshift:DeleteEventSubscription redshift:DeleteHsmClientCertificate redshift:DeleteHsmConfiguration redshift:DeletePartner redshift:DeleteRedshiftIdcApplication redshift:DeleteResourcePolicy redshift:DeleteScheduledAction redshift:DeleteSnapshotCopyGrant redshift:DeleteSnapshotSchedule redshift:DeleteUsageLimit redshift:DeregisterNamespace redshift:DescribeAccountAttributes redshift:DescribeAuthenticationProfiles redshift:DescribeClusterDbRevisions redshift:DescribeClusterParameterGroups redshift:DescribeClusterParameters redshift:DescribeClusterSecurityGroups redshift:DescribeClusterSnapshots redshift:DescribeClusterSubnetGroups redshift:DescribeClusterTracks redshift:DescribeClusterVersions redshift:DescribeClusters redshift:DescribeCustomDomainAssociations redshift:DescribeDataShares redshift:DescribeDataSharesForConsumer redshift:DescribeDataSharesForProducer redshift:DescribeDefaultClusterParameters redshift:DescribeEndpointAccess redshift:DescribeEndpointAuthorization redshift:DescribeEventCategories redshift:DescribeEventSubscriptions redshift:DescribeEvents redshift:DescribeHsmClientCertificates redshift:DescribeHsmConfigurations redshift:DescribeInboundIntegrations redshift:DescribeIntegrations redshift:DescribeLoggingStatus redshift:DescribeNodeConfigurationOptions redshift:DescribeOrderableClusterOptions redshift:DescribePartners redshift:DescribeRedshiftIdcApplications redshift:DescribeReservedNodeExchangeStatus redshift:DescribeReservedNodeOfferings redshift:DescribeReservedNodes redshift:DescribeResize redshift:DescribeScheduledActions redshift:DescribeSnapshotCopyGrants redshift:DescribeSnapshotSchedules redshift:DescribeStorage redshift:DescribeTableRestoreStatus redshift:DescribeUsageLimits redshift:DisableLogging redshift:DisableSnapshotCopy redshift:DisassociateDataShareConsumer redshift:EnableLogging redshift:EnableSnapshotCopy redshift:FailoverPrimaryCompute redshift:GetClusterCredentials redshift:GetClusterCredentialsWithIAM redshift:GetIdentityCenterAuthToken redshift:GetReservedNodeExchangeConfigurationOptions redshift:GetReservedNodeExchangeOfferings redshift:GetResourcePolicy redshift:ListRecommendations redshift:ModifyAquaConfiguration redshift:ModifyAuthenticationProfile redshift:ModifyCluster redshift:ModifyClusterDbRevision redshift:ModifyClusterIamRoles redshift:ModifyClusterMaintenance redshift:ModifyClusterParameterGroup redshift:ModifyClusterSnapshot redshift:ModifyClusterSnapshotSchedule redshift:ModifyClusterSubnetGroup redshift:ModifyCustomDomainAssociation redshift:ModifyEndpointAccess redshift:ModifyEventSubscription redshift:ModifyRedshiftIdcApplication redshift:ModifyScheduledAction redshift:ModifySnapshotCopyRetentionPeriod redshift:ModifySnapshotSchedule redshift:ModifyUsageLimit redshift:PauseCluster redshift:PurchaseReservedNodeOffering redshift:PutResourcePolicy redshift:RebootCluster redshift:RegisterNamespace redshift:RejectDataShare redshift:ResetClusterParameterGroup redshift:ResizeCluster redshift:RestoreFromClusterSnapshot redshift:RestoreTableFromClusterSnapshot redshift:ResumeCluster redshift:RevokeClusterSecurityGroupIngress redshift:RevokeEndpointAccess redshift:RevokeSnapshotAccess redshift:RotateEncryptionKey redshift:UpdatePartnerStatus |
| redshift-data | redshift-data:BatchExecuteStatement redshift-data:CancelStatement redshift-data:DescribeStatement redshift-data:DescribeTable redshift-data:ExecuteStatement redshift-data:GetStatementResult redshift-data:ListDatabases redshift-data:ListSchemas redshift-data:ListStatements redshift-data:ListTables |
| refactor-spaces | refactor-spaces:CreateApplication refactor-spaces:CreateEnvironment refactor-spaces:CreateRoute refactor-spaces:CreateService refactor-spaces:DeleteApplication refactor-spaces:DeleteEnvironment refactor-spaces:DeleteResourcePolicy refactor-spaces:DeleteRoute refactor-spaces:DeleteService refactor-spaces:GetApplication refactor-spaces:GetEnvironment refactor-spaces:GetResourcePolicy refactor-spaces:GetRoute refactor-spaces:GetService refactor-spaces:ListApplications refactor-spaces:ListEnvironmentVpcs refactor-spaces:ListEnvironments refactor-spaces:ListRoutes refactor-spaces:ListServices refactor-spaces:PutResourcePolicy refactor-spaces:UpdateRoute |
| rekognition | rekognition:AssociateFaces rekognition:CompareFaces rekognition:CopyProjectVersion rekognition:CreateCollection rekognition:CreateDataset rekognition:CreateFaceLivenessSession rekognition:CreateProject rekognition:CreateProjectVersion rekognition:CreateStreamProcessor rekognition:CreateUser rekognition:DeleteCollection rekognition:DeleteDataset rekognition:DeleteFaces rekognition:DeleteProject rekognition:DeleteProjectPolicy rekognition:DeleteProjectVersion rekognition:DeleteStreamProcessor rekognition:DeleteUser rekognition:DescribeCollection rekognition:DescribeDataset rekognition:DescribeProjectVersions rekognition:DescribeProjects rekognition:DescribeStreamProcessor rekognition:DetectCustomLabels rekognition:DetectFaces rekognition:DetectLabels rekognition:DetectModerationLabels rekognition:DetectProtectiveEquipment rekognition:DetectText rekognition:DisassociateFaces rekognition:DistributeDatasetEntries rekognition:GetCelebrityInfo rekognition:GetCelebrityRecognition rekognition:GetContentModeration rekognition:GetFaceDetection rekognition:GetFaceLivenessSessionResults rekognition:GetFaceSearch rekognition:GetLabelDetection rekognition:GetMediaAnalysisJob rekognition:GetPersonTracking rekognition:GetSegmentDetection rekognition:GetTextDetection rekognition:IndexFaces rekognition:ListCollections rekognition:ListDatasetEntries rekognition:ListDatasetLabels rekognition:ListFaces rekognition:ListMediaAnalysisJobs rekognition:ListProjectPolicies rekognition:ListStreamProcessors rekognition:ListUsers rekognition:PutProjectPolicy rekognition:RecognizeCelebrities rekognition:SearchFaces rekognition:SearchFacesByImage rekognition:SearchUsers rekognition:SearchUsersByImage rekognition:StartCelebrityRecognition rekognition:StartContentModeration rekognition:StartFaceDetection rekognition:StartFaceLivenessSession rekognition:StartFaceSearch rekognition:StartLabelDetection rekognition:StartMediaAnalysisJob rekognition:StartPersonTracking rekognition:StartProjectVersion rekognition:StartSegmentDetection rekognition:StartStreamProcessor rekognition:StartTextDetection rekognition:StopProjectVersion rekognition:StopStreamProcessor rekognition:UpdateDatasetEntries rekognition:UpdateStreamProcessor |
| resiliencehub | resiliencehub:AcceptResourceGroupingRecommendations resiliencehub:AddDraftAppVersionResourceMappings resiliencehub:BatchUpdateRecommendationStatus resiliencehub:CreateApp resiliencehub:CreateAppVersionAppComponent resiliencehub:CreateAppVersionResource resiliencehub:CreateRecommendationTemplate resiliencehub:CreateResiliencyPolicy resiliencehub:DeleteApp resiliencehub:DeleteAppAssessment resiliencehub:DeleteAppInputSource resiliencehub:DeleteAppVersionAppComponent resiliencehub:DeleteAppVersionResource resiliencehub:DeleteRecommendationTemplate resiliencehub:DeleteResiliencyPolicy resiliencehub:DescribeApp resiliencehub:DescribeAppAssessment resiliencehub:DescribeAppVersion resiliencehub:DescribeAppVersionAppComponent resiliencehub:DescribeAppVersionResource resiliencehub:DescribeAppVersionResourcesResolutionStatus resiliencehub:DescribeAppVersionTemplate resiliencehub:DescribeDraftAppVersionResourcesImportStatus resiliencehub:DescribeMetricsExport resiliencehub:DescribeResiliencyPolicy resiliencehub:DescribeResourceGroupingRecommendationTask resiliencehub:ImportResourcesToDraftAppVersion resiliencehub:ListAlarmRecommendations resiliencehub:ListAppAssessmentComplianceDrifts resiliencehub:ListAppAssessmentResourceDrifts resiliencehub:ListAppAssessments resiliencehub:ListAppComponentCompliances resiliencehub:ListAppComponentRecommendations resiliencehub:ListAppInputSources resiliencehub:ListAppVersionAppComponents resiliencehub:ListAppVersionResourceMappings resiliencehub:ListAppVersionResources resiliencehub:ListAppVersions resiliencehub:ListApps resiliencehub:ListMetrics resiliencehub:ListRecommendationTemplates resiliencehub:ListResiliencyPolicies resiliencehub:ListResourceGroupingRecommendations resiliencehub:ListSopRecommendations resiliencehub:ListSuggestedResiliencyPolicies resiliencehub:ListTestRecommendations resiliencehub:ListUnsupportedAppVersionResources resiliencehub:PublishAppVersion resiliencehub:PutDraftAppVersionTemplate resiliencehub:RejectResourceGroupingRecommendations resiliencehub:RemoveDraftAppVersionResourceMappings resiliencehub:ResolveAppVersionResources resiliencehub:StartAppAssessment resiliencehub:StartResourceGroupingRecommendationTask resiliencehub:UpdateApp resiliencehub:UpdateAppVersion resiliencehub:UpdateAppVersionAppComponent resiliencehub:UpdateAppVersionResource resiliencehub:UpdateResiliencyPolicy |
| resource-explorer-2 | resource-explorer-2:AssociateDefaultView resource-explorer-2:BatchGetView resource-explorer-2:CreateIndex resource-explorer-2:CreateResourceExplorerSetup resource-explorer-2:CreateView resource-explorer-2:DeleteIndex resource-explorer-2:DeleteResourceExplorerSetup resource-explorer-2:DeleteView resource-explorer-2:DisassociateDefaultView resource-explorer-2:GetAccountLevelServiceConfiguration resource-explorer-2:GetDefaultView resource-explorer-2:GetIndex resource-explorer-2:GetManagedView resource-explorer-2:GetResourceExplorerSetup resource-explorer-2:GetServiceIndex resource-explorer-2:GetServiceView resource-explorer-2:ListIndexes resource-explorer-2:ListIndexesForMembers resource-explorer-2:ListManagedViews resource-explorer-2:ListServiceIndexes resource-explorer-2:ListServiceViews resource-explorer-2:ListStreamingAccessForServices resource-explorer-2:ListSupportedResourceTypes resource-explorer-2:ListViews resource-explorer-2:Search resource-explorer-2:UpdateIndexType resource-explorer-2:UpdateView |
| resource-groups | resource-groups:CancelTagSyncTask resource-groups:GetAccountSettings resource-groups:GetGroup resource-groups:GetGroupConfiguration resource-groups:GetGroupQuery resource-groups:GetTagSyncTask resource-groups:GroupResources resource-groups:ListGroupResources resource-groups:ListGroupingStatuses resource-groups:ListGroups resource-groups:ListTagSyncTasks resource-groups:PutGroupConfiguration resource-groups:SearchResources resource-groups:StartTagSyncTask resource-groups:UngroupResources resource-groups:UpdateAccountSettings resource-groups:UpdateGroup resource-groups:UpdateGroupQuery |
| robomaker | robomaker:BatchDeleteWorlds robomaker:BatchDescribeSimulationJob robomaker:CancelDeploymentJob robomaker:CancelSimulationJob robomaker:CancelSimulationJobBatch robomaker:CancelWorldExportJob robomaker:CancelWorldGenerationJob robomaker:CreateDeploymentJob robomaker:CreateFleet robomaker:CreateRobot robomaker:CreateRobotApplication robomaker:CreateRobotApplicationVersion robomaker:CreateSimulationApplication robomaker:CreateSimulationApplicationVersion robomaker:CreateSimulationJob robomaker:CreateWorldExportJob robomaker:CreateWorldGenerationJob robomaker:CreateWorldTemplate robomaker:DeleteFleet robomaker:DeleteRobot robomaker:DeleteRobotApplication robomaker:DeleteSimulationApplication robomaker:DeleteWorldTemplate robomaker:DeregisterRobot robomaker:DescribeDeploymentJob robomaker:DescribeFleet robomaker:DescribeRobot robomaker:DescribeRobotApplication robomaker:DescribeSimulationApplication robomaker:DescribeSimulationJob robomaker:DescribeSimulationJobBatch robomaker:DescribeWorld robomaker:DescribeWorldExportJob robomaker:DescribeWorldGenerationJob robomaker:DescribeWorldTemplate robomaker:GetWorldTemplateBody robomaker:ListDeploymentJobs robomaker:ListFleets robomaker:ListRobotApplications robomaker:ListRobots robomaker:ListSimulationApplications robomaker:ListSimulationJobBatches robomaker:ListSimulationJobs robomaker:ListWorldExportJobs robomaker:ListWorldGenerationJobs robomaker:ListWorldTemplates robomaker:ListWorlds robomaker:RegisterRobot robomaker:RestartSimulationJob robomaker:StartSimulationJobBatch robomaker:SyncDeploymentJob robomaker:UpdateRobotApplication robomaker:UpdateSimulationApplication robomaker:UpdateWorldTemplate |
| rolesanywhere | rolesanywhere:CreateProfile rolesanywhere:CreateTrustAnchor rolesanywhere:DeleteAttributeMapping rolesanywhere:DeleteCrl rolesanywhere:DeleteProfile rolesanywhere:DeleteTrustAnchor rolesanywhere:DisableCrl rolesanywhere:DisableProfile rolesanywhere:DisableTrustAnchor rolesanywhere:EnableCrl rolesanywhere:EnableProfile rolesanywhere:EnableTrustAnchor rolesanywhere:GetCrl rolesanywhere:GetProfile rolesanywhere:GetSubject rolesanywhere:GetTrustAnchor rolesanywhere:ImportCrl rolesanywhere:ListCrls rolesanywhere:ListProfiles rolesanywhere:ListSubjects rolesanywhere:ListTrustAnchors rolesanywhere:PutAttributeMapping rolesanywhere:PutNotificationSettings rolesanywhere:ResetNotificationSettings rolesanywhere:UpdateCrl rolesanywhere:UpdateProfile rolesanywhere:UpdateTrustAnchor |
| route53 | route53:ActivateKeySigningKey route53:AssociateVPCWithHostedZone route53:ChangeCidrCollection route53:ChangeResourceRecordSets route53:CreateCidrCollection route53:CreateHealthCheck route53:CreateHostedZone route53:CreateKeySigningKey route53:CreateQueryLoggingConfig route53:CreateReusableDelegationSet route53:CreateTrafficPolicy route53:CreateTrafficPolicyInstance route53:CreateTrafficPolicyVersion route53:CreateVPCAssociationAuthorization route53:DeactivateKeySigningKey route53:DeleteCidrCollection route53:DeleteHealthCheck route53:DeleteHostedZone route53:DeleteKeySigningKey route53:DeleteQueryLoggingConfig route53:DeleteReusableDelegationSet route53:DeleteTrafficPolicy route53:DeleteTrafficPolicyInstance route53:DeleteVPCAssociationAuthorization route53:DisableHostedZoneDNSSEC route53:DisassociateVPCFromHostedZone route53:EnableHostedZoneDNSSEC route53:GetAccountLimit route53:GetChange route53:GetCheckerIpRanges route53:GetDNSSEC route53:GetGeoLocation route53:GetHealthCheck route53:GetHealthCheckCount route53:GetHealthCheckLastFailureReason route53:GetHealthCheckStatus route53:GetHostedZone route53:GetHostedZoneCount route53:GetHostedZoneLimit route53:GetQueryLoggingConfig route53:GetReusableDelegationSet route53:GetReusableDelegationSetLimit route53:GetTrafficPolicy route53:GetTrafficPolicyInstance route53:GetTrafficPolicyInstanceCount route53:ListCidrBlocks route53:ListCidrCollections route53:ListCidrLocations route53:ListGeoLocations route53:ListHealthChecks route53:ListHostedZones route53:ListHostedZonesByName route53:ListHostedZonesByVPC route53:ListQueryLoggingConfigs route53:ListResourceRecordSets route53:ListReusableDelegationSets route53:ListTrafficPolicies route53:ListTrafficPolicyInstances route53:ListTrafficPolicyInstancesByHostedZone route53:ListTrafficPolicyInstancesByPolicy route53:ListTrafficPolicyVersions route53:ListVPCAssociationAuthorizations route53:TestDNSAnswer route53:UpdateHealthCheck route53:UpdateHostedZoneComment route53:UpdateTrafficPolicyComment route53:UpdateTrafficPolicyInstance |
| route53-recovery-control-config | route53-recovery-control-config:CreateCluster route53-recovery-control-config:CreateControlPanel route53-recovery-control-config:CreateRoutingControl route53-recovery-control-config:CreateSafetyRule route53-recovery-control-config:DeleteCluster route53-recovery-control-config:DeleteControlPanel route53-recovery-control-config:DeleteRoutingControl route53-recovery-control-config:DeleteSafetyRule route53-recovery-control-config:DescribeCluster route53-recovery-control-config:DescribeControlPanel route53-recovery-control-config:DescribeRoutingControl route53-recovery-control-config:DescribeSafetyRule route53-recovery-control-config:GetResourcePolicy route53-recovery-control-config:ListAssociatedRoute53HealthChecks route53-recovery-control-config:ListClusters route53-recovery-control-config:ListControlPanels route53-recovery-control-config:ListRoutingControls route53-recovery-control-config:ListSafetyRules route53-recovery-control-config:UpdateCluster route53-recovery-control-config:UpdateControlPanel route53-recovery-control-config:UpdateRoutingControl route53-recovery-control-config:UpdateSafetyRule |
| route53-recovery-readiness | route53-recovery-readiness:CreateCell route53-recovery-readiness:CreateCrossAccountAuthorization route53-recovery-readiness:CreateReadinessCheck route53-recovery-readiness:CreateRecoveryGroup route53-recovery-readiness:CreateResourceSet route53-recovery-readiness:DeleteCell route53-recovery-readiness:DeleteCrossAccountAuthorization route53-recovery-readiness:DeleteReadinessCheck route53-recovery-readiness:DeleteRecoveryGroup route53-recovery-readiness:DeleteResourceSet route53-recovery-readiness:GetArchitectureRecommendations route53-recovery-readiness:GetCell route53-recovery-readiness:GetCellReadinessSummary route53-recovery-readiness:GetReadinessCheck route53-recovery-readiness:GetReadinessCheckResourceStatus route53-recovery-readiness:GetReadinessCheckStatus route53-recovery-readiness:GetRecoveryGroup route53-recovery-readiness:GetRecoveryGroupReadinessSummary route53-recovery-readiness:GetResourceSet route53-recovery-readiness:ListCells route53-recovery-readiness:ListCrossAccountAuthorizations route53-recovery-readiness:ListReadinessChecks route53-recovery-readiness:ListRecoveryGroups route53-recovery-readiness:ListResourceSets route53-recovery-readiness:ListRules route53-recovery-readiness:UpdateCell route53-recovery-readiness:UpdateReadinessCheck route53-recovery-readiness:UpdateRecoveryGroup route53-recovery-readiness:UpdateResourceSet |
| route53resolver | route53resolver:AssociateFirewallRuleGroup route53resolver:AssociateResolverEndpointIpAddress route53resolver:AssociateResolverQueryLogConfig route53resolver:AssociateResolverRule route53resolver:CreateFirewallDomainList route53resolver:CreateFirewallRule route53resolver:CreateFirewallRuleGroup route53resolver:CreateResolverEndpoint route53resolver:CreateResolverQueryLogConfig route53resolver:CreateResolverRule route53resolver:DeleteFirewallDomainList route53resolver:DeleteFirewallRule route53resolver:DeleteFirewallRuleGroup route53resolver:DeleteOutpostResolver route53resolver:DeleteResolverEndpoint route53resolver:DeleteResolverQueryLogConfig route53resolver:DeleteResolverRule route53resolver:DisassociateFirewallRuleGroup route53resolver:DisassociateResolverEndpointIpAddress route53resolver:DisassociateResolverQueryLogConfig route53resolver:DisassociateResolverRule route53resolver:GetFirewallConfig route53resolver:GetFirewallDomainList route53resolver:GetFirewallRuleGroup route53resolver:GetFirewallRuleGroupAssociation route53resolver:GetFirewallRuleGroupPolicy route53resolver:GetOutpostResolver route53resolver:GetResolverConfig route53resolver:GetResolverDnssecConfig route53resolver:GetResolverEndpoint route53resolver:GetResolverQueryLogConfig route53resolver:GetResolverQueryLogConfigAssociation route53resolver:GetResolverQueryLogConfigPolicy route53resolver:GetResolverRule route53resolver:GetResolverRuleAssociation route53resolver:GetResolverRulePolicy route53resolver:ImportFirewallDomains route53resolver:ListFirewallConfigs route53resolver:ListFirewallDomainLists route53resolver:ListFirewallDomains route53resolver:ListFirewallRuleGroupAssociations route53resolver:ListFirewallRuleGroups route53resolver:ListFirewallRules route53resolver:ListOutpostResolvers route53resolver:ListResolverConfigs route53resolver:ListResolverDnssecConfigs route53resolver:ListResolverEndpointIpAddresses route53resolver:ListResolverEndpoints route53resolver:ListResolverQueryLogConfigAssociations route53resolver:ListResolverQueryLogConfigs route53resolver:ListResolverRuleAssociations route53resolver:ListResolverRules route53resolver:PutFirewallRuleGroupPolicy route53resolver:PutResolverQueryLogConfigPolicy route53resolver:UpdateFirewallConfig route53resolver:UpdateFirewallDomains route53resolver:UpdateFirewallRule route53resolver:UpdateFirewallRuleGroupAssociation route53resolver:UpdateOutpostResolver route53resolver:UpdateResolverConfig route53resolver:UpdateResolverDnssecConfig route53resolver:UpdateResolverEndpoint route53resolver:UpdateResolverRule |
| rum | rum:BatchCreateRumMetricDefinitions rum:BatchDeleteRumMetricDefinitions rum:BatchGetRumMetricDefinitions rum:CreateAppMonitor rum:DeleteAppMonitor rum:DeleteResourcePolicy rum:DeleteRumMetricsDestination rum:GetAppMonitor rum:GetAppMonitorData rum:GetResourcePolicy rum:ListAppMonitors rum:ListRumMetricsDestinations rum:PutResourcePolicy rum:PutRumMetricsDestination rum:UpdateAppMonitor rum:UpdateRumMetricDefinition |
| s3 | s3:AssociateAccessGrantsIdentityCenter s3:CreateAccessGrant s3:CreateAccessGrantsInstance s3:CreateAccessGrantsLocation s3:CreateAccessPoint s3:CreateAccessPointForObjectLambda s3:CreateBucket s3:CreateBucketMetadataTableConfiguration s3:CreateJob s3:CreateMultiRegionAccessPoint s3:DeleteAccessGrant s3:DeleteAccessGrantsInstance s3:DeleteAccessGrantsInstanceResourcePolicy s3:DeleteAccessGrantsLocation s3:DeleteAccessPoint s3:DeleteAccessPointForObjectLambda s3:DeleteAccessPointPolicy s3:DeleteAccessPointPolicyForObjectLambda s3:DeleteBucket s3:DeleteBucketMetadataTableConfiguration s3:DeleteBucketPolicy s3:DeleteBucketWebsite s3:DeleteMultiRegionAccessPoint s3:DeleteStorageLensConfiguration s3:DescribeJob s3:DescribeMultiRegionAccessPointOperation s3:DissociateAccessGrantsIdentityCenter s3:GetAccelerateConfiguration s3:GetAccessGrant s3:GetAccessGrantsInstance s3:GetAccessGrantsInstanceForPrefix s3:GetAccessGrantsInstanceResourcePolicy s3:GetAccessGrantsLocation s3:GetAccessPoint s3:GetAccessPointConfigurationForObjectLambda s3:GetAccessPointForObjectLambda s3:GetAccessPointPolicy s3:GetAccessPointPolicyForObjectLambda s3:GetAccessPointPolicyStatus s3:GetAccessPointPolicyStatusForObjectLambda s3:GetAccountPublicAccessBlock s3:GetAnalyticsConfiguration s3:GetBucketAbac s3:GetBucketAcl s3:GetBucketCORS s3:GetBucketLocation s3:GetBucketLogging s3:GetBucketNotification s3:GetBucketObjectLockConfiguration s3:GetBucketOwnershipControls s3:GetBucketPolicy s3:GetBucketPolicyStatus s3:GetBucketPublicAccessBlock s3:GetBucketRequestPayment s3:GetBucketVersioning s3:GetBucketWebsite s3:GetDataAccess s3:GetEncryptionConfiguration s3:GetIntelligentTieringConfiguration s3:GetInventoryConfiguration s3:GetLifecycleConfiguration s3:GetMetricsConfiguration s3:GetMultiRegionAccessPoint s3:GetMultiRegionAccessPointPolicy s3:GetMultiRegionAccessPointPolicyStatus s3:GetMultiRegionAccessPointRoutes s3:GetReplicationConfiguration s3:GetStorageLensConfiguration s3:GetStorageLensDashboard s3:ListAccessGrants s3:ListAccessGrantsInstances s3:ListAccessGrantsLocations s3:ListAccessPoints s3:ListAccessPointsForObjectLambda s3:ListAllMyBuckets s3:ListBucketMultipartUploads s3:ListCallerAccessGrants s3:ListJobs s3:ListMultiRegionAccessPoints s3:ListStorageLensConfigurations s3:PutAccelerateConfiguration s3:PutAccessGrantsInstanceResourcePolicy s3:PutAccessPointConfigurationForObjectLambda s3:PutAccessPointPolicy s3:PutAccessPointPolicyForObjectLambda s3:PutAccountPublicAccessBlock s3:PutAnalyticsConfiguration s3:PutBucketAbac s3:PutBucketAcl s3:PutBucketCORS s3:PutBucketLogging s3:PutBucketNotification s3:PutBucketObjectLockConfiguration s3:PutBucketOwnershipControls s3:PutBucketPolicy s3:PutBucketPublicAccessBlock s3:PutBucketRequestPayment s3:PutBucketVersioning s3:PutBucketWebsite s3:PutEncryptionConfiguration s3:PutIntelligentTieringConfiguration s3:PutInventoryConfiguration s3:PutLifecycleConfiguration s3:PutMetricsConfiguration s3:PutMultiRegionAccessPointPolicy s3:PutReplicationConfiguration s3:PutStorageLensConfiguration s3:SubmitMultiRegionAccessPointRoutes s3:UpdateAccessGrantsLocation s3:UpdateBucketMetadataJournalTableConfiguration s3:UpdateJobPriority s3:UpdateJobStatus |
| s3-outposts | s3-outposts:CreateEndpoint s3-outposts:DeleteEndpoint s3-outposts:ListEndpoints s3-outposts:ListOutpostsWithS3 s3-outposts:ListSharedEndpoints |
| sagemaker-geospatial | sagemaker-geospatial:DeleteEarthObservationJob sagemaker-geospatial:DeleteVectorEnrichmentJob sagemaker-geospatial:ExportEarthObservationJob sagemaker-geospatial:ExportVectorEnrichmentJob sagemaker-geospatial:GetEarthObservationJob sagemaker-geospatial:GetRasterDataCollection sagemaker-geospatial:GetTile sagemaker-geospatial:GetVectorEnrichmentJob sagemaker-geospatial:ListEarthObservationJobs sagemaker-geospatial:ListRasterDataCollections sagemaker-geospatial:ListVectorEnrichmentJobs sagemaker-geospatial:SearchRasterDataCollection sagemaker-geospatial:StartEarthObservationJob sagemaker-geospatial:StartVectorEnrichmentJob sagemaker-geospatial:StopEarthObservationJob sagemaker-geospatial:StopVectorEnrichmentJob |
| savingsplans | savingsplans:CreateSavingsPlan savingsplans:DeleteQueuedSavingsPlan savingsplans:DescribeSavingsPlanRates savingsplans:DescribeSavingsPlans savingsplans:DescribeSavingsPlansOfferingRates savingsplans:DescribeSavingsPlansOfferings savingsplans:ReturnSavingsPlan |
| schemas | schemas:CreateDiscoverer schemas:CreateRegistry schemas:CreateSchema schemas:DeleteDiscoverer schemas:DeleteRegistry schemas:DeleteResourcePolicy schemas:DeleteSchema schemas:DeleteSchemaVersion schemas:DescribeCodeBinding schemas:DescribeDiscoverer schemas:DescribeRegistry schemas:DescribeSchema schemas:ExportSchema schemas:GetCodeBindingSource schemas:GetDiscoveredSchema schemas:GetResourcePolicy schemas:ListDiscoverers schemas:ListRegistries schemas:ListSchemaVersions schemas:ListSchemas schemas:PutCodeBinding schemas:PutResourcePolicy schemas:SearchSchemas schemas:StartDiscoverer schemas:StopDiscoverer schemas:UpdateDiscoverer schemas:UpdateRegistry schemas:UpdateSchema |
| sdb | sdb:CreateDomain sdb:DeleteDomain sdb:DomainMetadata sdb:ListDomains |
| secretsmanager | secretsmanager:CancelRotateSecret secretsmanager:CreateSecret secretsmanager:DeleteResourcePolicy secretsmanager:DeleteSecret secretsmanager:DescribeSecret secretsmanager:GetRandomPassword secretsmanager:GetResourcePolicy secretsmanager:GetSecretValue secretsmanager:ListSecretVersionIds secretsmanager:ListSecrets secretsmanager:PutResourcePolicy secretsmanager:PutSecretValue secretsmanager:RemoveRegionsFromReplication secretsmanager:ReplicateSecretToRegions secretsmanager:RestoreSecret secretsmanager:RotateSecret secretsmanager:StopReplicationToReplica secretsmanager:UpdateSecret secretsmanager:ValidateResourcePolicy |
| securityhub | securityhub:AcceptAdministratorInvitation securityhub:AcceptInvitation securityhub:BatchDeleteAutomationRules securityhub:BatchDisableStandards securityhub:BatchEnableStandards securityhub:BatchGetAutomationRules securityhub:BatchGetConfigurationPolicyAssociations securityhub:BatchGetSecurityControls securityhub:BatchGetStandardsControlAssociations securityhub:BatchImportFindings securityhub:BatchUpdateAutomationRules securityhub:BatchUpdateFindings securityhub:BatchUpdateStandardsControlAssociations securityhub:ConnectorRegistrationsV2 securityhub:CreateActionTarget securityhub:CreateAggregatorV2 securityhub:CreateAutomationRule securityhub:CreateAutomationRuleV2 securityhub:CreateConfigurationPolicy securityhub:CreateConnectorV2 securityhub:CreateFindingAggregator securityhub:CreateInsight securityhub:CreateMembers securityhub:CreateTicketV2 securityhub:DeclineInvitations securityhub:DeleteActionTarget securityhub:DeleteAggregatorV2 securityhub:DeleteAutomationRuleV2 securityhub:DeleteConfigurationPolicy securityhub:DeleteConnectorV2 securityhub:DeleteFindingAggregator securityhub:DeleteInsight securityhub:DeleteInvitations securityhub:DeleteMembers securityhub:DescribeActionTargets securityhub:DescribeHub securityhub:DescribeOrganizationConfiguration securityhub:DescribeProducts securityhub:DescribeSecurityHubV2 securityhub:DescribeStandards securityhub:DisableImportFindingsForProduct securityhub:DisableOrganizationAdminAccount securityhub:DisableSecurityHub securityhub:DisableSecurityHubV2 securityhub:DisassociateFromAdministratorAccount securityhub:DisassociateFromMasterAccount securityhub:DisassociateMembers securityhub:EnableImportFindingsForProduct securityhub:EnableOrganizationAdminAccount securityhub:EnableSecurityHub securityhub:GetAdministratorAccount securityhub:GetAggregatorV2 securityhub:GetAutomationRuleV2 securityhub:GetConfigurationPolicy securityhub:GetConfigurationPolicyAssociation securityhub:GetConnectorV2 securityhub:GetEnabledStandards securityhub:GetFindingAggregator securityhub:GetFindingHistory securityhub:GetFindings securityhub:GetInsightResults securityhub:GetInsights securityhub:GetInvitationsCount securityhub:GetMasterAccount securityhub:GetMembers securityhub:GetSecurityControlDefinition securityhub:InviteMembers securityhub:ListAggregatorsV2 securityhub:ListAutomationRules securityhub:ListAutomationRulesV2 securityhub:ListConfigurationPolicies securityhub:ListConfigurationPolicyAssociations securityhub:ListConnectorsV2 securityhub:ListEnabledProductsForImport securityhub:ListFindingAggregators securityhub:ListInvitations securityhub:ListMembers securityhub:ListOrganizationAdminAccounts securityhub:ListSecurityControlDefinitions securityhub:ListStandardsControlAssociations securityhub:StartConfigurationPolicyAssociation securityhub:StartConfigurationPolicyDisassociation securityhub:UpdateActionTarget securityhub:UpdateAggregatorV2 securityhub:UpdateAutomationRuleV2 securityhub:UpdateConfigurationPolicy securityhub:UpdateConnectorV2 securityhub:UpdateFindingAggregator securityhub:UpdateFindings securityhub:UpdateInsight securityhub:UpdateOrganizationConfiguration securityhub:UpdateSecurityControl securityhub:UpdateSecurityHubConfiguration |
| securitylake | securitylake:CreateAwsLogSource securitylake:CreateCustomLogSource securitylake:CreateDataLakeExceptionSubscription securitylake:CreateDataLakeOrganizationConfiguration securitylake:CreateSubscriber securitylake:CreateSubscriberNotification securitylake:DeleteAwsLogSource securitylake:DeleteCustomLogSource securitylake:DeleteDataLakeExceptionSubscription securitylake:DeleteDataLakeOrganizationConfiguration securitylake:DeleteSubscriber securitylake:DeleteSubscriberNotification securitylake:DeregisterDataLakeDelegatedAdministrator securitylake:GetDataLakeExceptionSubscription securitylake:GetDataLakeOrganizationConfiguration securitylake:GetDataLakeSources securitylake:GetSubscriber securitylake:ListDataLakes securitylake:ListLogSources securitylake:ListSubscribers securitylake:RegisterDataLakeDelegatedAdministrator securitylake:UpdateDataLakeExceptionSubscription securitylake:UpdateSubscriber securitylake:UpdateSubscriberNotification |
| serverlessrepo | serverlessrepo:CreateApplication serverlessrepo:CreateApplicationVersion serverlessrepo:CreateCloudFormationChangeSet serverlessrepo:CreateCloudFormationTemplate serverlessrepo:DeleteApplication serverlessrepo:GetApplication serverlessrepo:GetApplicationPolicy serverlessrepo:GetCloudFormationTemplate serverlessrepo:ListApplicationDependencies serverlessrepo:ListApplicationVersions serverlessrepo:ListApplications serverlessrepo:PutApplicationPolicy serverlessrepo:UnshareApplication serverlessrepo:UpdateApplication |
| servicecatalog | servicecatalog:AcceptPortfolioShare servicecatalog:AssociateBudgetWithResource servicecatalog:AssociatePrincipalWithPortfolio servicecatalog:AssociateProductWithPortfolio servicecatalog:AssociateServiceActionWithProvisioningArtifact servicecatalog:BatchAssociateServiceActionWithProvisioningArtifact servicecatalog:BatchDisassociateServiceActionFromProvisioningArtifact servicecatalog:CopyProduct servicecatalog:CreateAttributeGroup servicecatalog:CreateConstraint servicecatalog:CreatePortfolio servicecatalog:CreatePortfolioShare servicecatalog:CreateProduct servicecatalog:CreateProvisionedProductPlan servicecatalog:CreateProvisioningArtifact servicecatalog:CreateServiceAction servicecatalog:DeleteAttributeGroup servicecatalog:DeleteConstraint servicecatalog:DeletePortfolio servicecatalog:DeletePortfolioShare servicecatalog:DeleteProduct servicecatalog:DeleteProvisionedProductPlan servicecatalog:DeleteProvisioningArtifact servicecatalog:DeleteServiceAction servicecatalog:DescribeConstraint servicecatalog:DescribeCopyProductStatus servicecatalog:DescribePortfolio servicecatalog:DescribePortfolioShareStatus servicecatalog:DescribePortfolioShares servicecatalog:DescribeProduct servicecatalog:DescribeProductAsAdmin servicecatalog:DescribeProductView servicecatalog:DescribeProvisionedProduct servicecatalog:DescribeProvisionedProductPlan servicecatalog:DescribeProvisioningArtifact servicecatalog:DescribeProvisioningParameters servicecatalog:DescribeRecord servicecatalog:DescribeServiceAction servicecatalog:DescribeServiceActionExecutionParameters servicecatalog:DisableAWSOrganizationsAccess servicecatalog:DisassociateBudgetFromResource servicecatalog:DisassociatePrincipalFromPortfolio servicecatalog:DisassociateProductFromPortfolio servicecatalog:DisassociateServiceActionFromProvisioningArtifact servicecatalog:EnableAWSOrganizationsAccess servicecatalog:ExecuteProvisionedProductPlan servicecatalog:ExecuteProvisionedProductServiceAction servicecatalog:GetAWSOrganizationsAccessStatus servicecatalog:GetProvisionedProductOutputs servicecatalog:ImportAsProvisionedProduct servicecatalog:ListAcceptedPortfolioShares servicecatalog:ListAttributeGroups servicecatalog:ListBudgetsForResource servicecatalog:ListConstraintsForPortfolio servicecatalog:ListLaunchPaths servicecatalog:ListOrganizationPortfolioAccess servicecatalog:ListPortfolioAccess servicecatalog:ListPortfolios servicecatalog:ListPortfoliosForProduct servicecatalog:ListPrincipalsForPortfolio servicecatalog:ListProvisionedProductPlans servicecatalog:ListProvisioningArtifacts servicecatalog:ListProvisioningArtifactsForServiceAction servicecatalog:ListRecordHistory servicecatalog:ListServiceActions servicecatalog:ListServiceActionsForProvisioningArtifact servicecatalog:ListStackInstancesForProvisionedProduct servicecatalog:NotifyProvisionProductEngineWorkflowResult servicecatalog:NotifyTerminateProvisionedProductEngineWorkflowResult servicecatalog:NotifyUpdateProvisionedProductEngineWorkflowResult servicecatalog:ProvisionProduct servicecatalog:RejectPortfolioShare servicecatalog:ScanProvisionedProducts servicecatalog:SearchProducts servicecatalog:SearchProductsAsAdmin servicecatalog:SearchProvisionedProducts servicecatalog:TerminateProvisionedProduct servicecatalog:UpdateConstraint servicecatalog:UpdatePortfolio servicecatalog:UpdatePortfolioShare servicecatalog:UpdateProduct servicecatalog:UpdateProvisionedProduct servicecatalog:UpdateProvisionedProductProperties servicecatalog:UpdateProvisioningArtifact servicecatalog:UpdateServiceAction |
| servicediscovery | servicediscovery:CreateHttpNamespace servicediscovery:CreatePrivateDnsNamespace servicediscovery:CreatePublicDnsNamespace servicediscovery:CreateService servicediscovery:DeleteNamespace servicediscovery:DeleteService servicediscovery:DeleteServiceAttributes servicediscovery:DeregisterInstance servicediscovery:GetInstance servicediscovery:GetInstancesHealthStatus servicediscovery:GetNamespace servicediscovery:GetOperation servicediscovery:GetService servicediscovery:ListInstances servicediscovery:ListNamespaces servicediscovery:ListOperations servicediscovery:ListServices servicediscovery:RegisterInstance servicediscovery:UpdateHttpNamespace servicediscovery:UpdateInstanceCustomHealthStatus servicediscovery:UpdatePrivateDnsNamespace servicediscovery:UpdatePublicDnsNamespace servicediscovery:UpdateService servicediscovery:UpdateServiceAttributes |
| servicequotas | servicequotas:AssociateServiceQuotaTemplate servicequotas:CreateSupportCase servicequotas:DeleteServiceQuotaIncreaseRequestFromTemplate servicequotas:DisassociateServiceQuotaTemplate servicequotas:GetAWSDefaultServiceQuota servicequotas:GetAssociationForServiceQuotaTemplate servicequotas:GetAutoManagementConfiguration servicequotas:GetQuotaUtilizationReport servicequotas:GetRequestedServiceQuotaChange servicequotas:GetServiceQuota servicequotas:GetServiceQuotaIncreaseRequestFromTemplate servicequotas:ListAWSDefaultServiceQuotas servicequotas:ListRequestedServiceQuotaChangeHistory servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota servicequotas:ListServiceQuotaIncreaseRequestsInTemplate servicequotas:ListServiceQuotas servicequotas:ListServices servicequotas:PutServiceQuotaIncreaseRequestIntoTemplate servicequotas:RequestServiceQuotaIncrease servicequotas:StartAutoManagement servicequotas:StartQuotaUtilizationReport servicequotas:StopAutoManagement servicequotas:UpdateAutoManagement |
| ses | ses:BatchGetMetricData ses:CloneReceiptRuleSet ses:CreateAddonInstance ses:CreateAddonSubscription ses:CreateAddressList ses:CreateAddressListImportJob ses:CreateArchive ses:CreateConfigurationSet ses:CreateConfigurationSetEventDestination ses:CreateConfigurationSetTrackingOptions ses:CreateContact ses:CreateContactList ses:CreateCustomVerificationEmailTemplate ses:CreateDedicatedIpPool ses:CreateDeliverabilityTestReport ses:CreateEmailIdentity ses:CreateEmailIdentityPolicy ses:CreateEmailTemplate ses:CreateImportJob ses:CreateIngressPoint ses:CreateMultiRegionEndpoint ses:CreateReceiptFilter ses:CreateReceiptRule ses:CreateReceiptRuleSet ses:CreateRelay ses:CreateRuleSet ses:CreateTemplate ses:CreateTenant ses:CreateTenantResourceAssociation ses:CreateTrafficPolicy ses:DeleteAddonInstance ses:DeleteAddonSubscription ses:DeleteAddressList ses:DeleteArchive ses:DeleteConfigurationSet ses:DeleteConfigurationSetEventDestination ses:DeleteConfigurationSetTrackingOptions ses:DeleteContact ses:DeleteContactList ses:DeleteCustomVerificationEmailTemplate ses:DeleteDedicatedIpPool ses:DeleteEmailIdentity ses:DeleteEmailIdentityPolicy ses:DeleteEmailTemplate ses:DeleteIdentity ses:DeleteIdentityPolicy ses:DeleteIngressPoint ses:DeleteMultiRegionEndpoint ses:DeleteReceiptFilter ses:DeleteReceiptRule ses:DeleteReceiptRuleSet ses:DeleteRelay ses:DeleteRuleSet ses:DeleteSuppressedDestination ses:DeleteTemplate ses:DeleteTenant ses:DeleteTenantResourceAssociation ses:DeleteTrafficPolicy ses:DeleteVerifiedEmailAddress ses:DeregisterMemberFromAddressList ses:DescribeActiveReceiptRuleSet ses:DescribeConfigurationSet ses:DescribeReceiptRule ses:DescribeReceiptRuleSet ses:GetAccount ses:GetAccountSendingEnabled ses:GetAddonInstance ses:GetAddonSubscription ses:GetAddressList ses:GetArchive ses:GetArchiveExport ses:GetArchiveMessage ses:GetArchiveMessageContent ses:GetArchiveSearch ses:GetArchiveSearchResults ses:GetBlacklistReports ses:GetConfigurationSet ses:GetConfigurationSetEventDestinations ses:GetContact ses:GetContactList ses:GetCustomVerificationEmailTemplate ses:GetDedicatedIp ses:GetDedicatedIpPool ses:GetDedicatedIps ses:GetDeliverabilityDashboardOptions ses:GetDeliverabilityTestReport ses:GetDomainDeliverabilityCampaign ses:GetDomainStatisticsReport ses:GetEmailAddressInsights ses:GetEmailIdentity ses:GetEmailIdentityPolicies ses:GetEmailTemplate ses:GetIdentityDkimAttributes ses:GetIdentityMailFromDomainAttributes ses:GetIdentityNotificationAttributes ses:GetIdentityPolicies ses:GetIdentityVerificationAttributes ses:GetImportJob ses:GetIngressPoint ses:GetMemberOfAddressList ses:GetMessageInsights ses:GetMultiRegionEndpoint ses:GetRelay ses:GetRuleSet ses:GetSendQuota ses:GetSendStatistics ses:GetSuppressedDestination ses:GetTemplate ses:GetTenant ses:GetTrafficPolicy ses:ListAddonInstances ses:ListAddonSubscriptions ses:ListAddressListImportJobs ses:ListAddressLists ses:ListArchiveExports ses:ListArchiveSearches ses:ListArchives ses:ListConfigurationSets ses:ListContactLists ses:ListContacts ses:ListCustomVerificationEmailTemplates ses:ListDedicatedIpPools ses:ListDeliverabilityTestReports ses:ListDomainDeliverabilityCampaigns ses:ListEmailIdentities ses:ListEmailTemplates ses:ListExportJobs ses:ListIdentities ses:ListIdentityPolicies ses:ListImportJobs ses:ListIngressPoints ses:ListMembersOfAddressList ses:ListMultiRegionEndpoints ses:ListReceiptFilters ses:ListReceiptRuleSets ses:ListRecommendations ses:ListRelays ses:ListReputationEntities ses:ListResourceTenants ses:ListRuleSets ses:ListSuppressedDestinations ses:ListTemplates ses:ListTenantResources ses:ListTenants ses:ListTrafficPolicies ses:ListVerifiedEmailAddresses ses:PutAccountDedicatedIpWarmupAttributes ses:PutAccountDetails ses:PutAccountSendingAttributes ses:PutAccountSuppressionAttributes ses:PutAccountVdmAttributes ses:PutConfigurationSetArchivingOptions ses:PutConfigurationSetDeliveryOptions ses:PutConfigurationSetReputationOptions ses:PutConfigurationSetSendingOptions ses:PutConfigurationSetSuppressionOptions ses:PutConfigurationSetTrackingOptions ses:PutConfigurationSetVdmOptions ses:PutDedicatedIpInPool ses:PutDedicatedIpPoolScalingAttributes ses:PutDedicatedIpWarmupAttributes ses:PutDeliverabilityDashboardOption ses:PutEmailIdentityConfigurationSetAttributes ses:PutEmailIdentityDkimAttributes ses:PutEmailIdentityDkimSigningAttributes ses:PutEmailIdentityFeedbackAttributes ses:PutEmailIdentityMailFromAttributes ses:PutIdentityPolicy ses:PutSuppressedDestination ses:RegisterMemberToAddressList ses:ReorderReceiptRuleSet ses:SendBounce ses:SendCustomVerificationEmail ses:SetActiveReceiptRuleSet ses:SetIdentityDkimEnabled ses:SetIdentityFeedbackForwardingEnabled ses:SetIdentityHeadersInNotificationsEnabled ses:SetIdentityMailFromDomain ses:SetIdentityNotificationTopic ses:SetReceiptRulePosition ses:StartArchiveExport ses:StartArchiveSearch ses:StopArchiveExport ses:StopArchiveSearch ses:TestRenderEmailTemplate ses:TestRenderTemplate ses:UpdateAccountSendingEnabled ses:UpdateArchive ses:UpdateConfigurationSetEventDestination ses:UpdateConfigurationSetReputationMetricsEnabled ses:UpdateConfigurationSetSendingEnabled ses:UpdateConfigurationSetTrackingOptions ses:UpdateContact ses:UpdateContactList ses:UpdateCustomVerificationEmailTemplate ses:UpdateEmailIdentityPolicy ses:UpdateEmailTemplate ses:UpdateIngressPoint ses:UpdateReceiptRule ses:UpdateRelay ses:UpdateRuleSet ses:UpdateTemplate ses:UpdateTrafficPolicy ses:VerifyDomainDkim ses:VerifyDomainIdentity ses:VerifyEmailAddress ses:VerifyEmailIdentity |
| shield | shield:AssociateDRTLogBucket shield:AssociateHealthCheck shield:AssociateProactiveEngagementDetails shield:CreateProtection shield:CreateProtectionGroup shield:CreateSubscription shield:DeleteProtection shield:DeleteProtectionGroup shield:DeleteSubscription shield:DescribeAttack shield:DescribeAttackStatistics shield:DescribeDRTAccess shield:DescribeEmergencyContactSettings shield:DescribeProtection shield:DescribeProtectionGroup shield:DescribeSubscription shield:DisableApplicationLayerAutomaticResponse shield:DisableProactiveEngagement shield:DisassociateDRTLogBucket shield:DisassociateDRTRole shield:DisassociateHealthCheck shield:EnableApplicationLayerAutomaticResponse shield:EnableProactiveEngagement shield:GetSubscriptionState shield:ListAttacks shield:ListProtectionGroups shield:ListProtections shield:ListResourcesInProtectionGroup shield:UpdateApplicationLayerAutomaticResponse shield:UpdateEmergencyContactSettings shield:UpdateProtectionGroup shield:UpdateSubscription |
| signer | signer:AddProfilePermission signer:CancelSigningProfile signer:DescribeSigningJob signer:GetSigningPlatform signer:GetSigningProfile signer:ListProfilePermissions signer:ListSigningJobs signer:ListSigningPlatforms signer:ListSigningProfiles signer:PutSigningProfile signer:RemoveProfilePermission signer:RevokeSignature signer:RevokeSigningProfile signer:SignPayload signer:StartSigningJob |
| simspaceweaver | simspaceweaver:CreateSnapshot simspaceweaver:DeleteApp simspaceweaver:DeleteSimulation simspaceweaver:DescribeApp simspaceweaver:DescribeSimulation simspaceweaver:ListApps simspaceweaver:ListSimulations simspaceweaver:StartApp simspaceweaver:StartClock simspaceweaver:StartSimulation simspaceweaver:StopApp simspaceweaver:StopClock simspaceweaver:StopSimulation |
| sms | sms:CreateApp sms:CreateReplicationJob sms:DeleteApp sms:DeleteAppLaunchConfiguration sms:DeleteAppReplicationConfiguration sms:DeleteAppValidationConfiguration sms:DeleteReplicationJob sms:DeleteServerCatalog sms:DisassociateConnector sms:GenerateChangeSet sms:GenerateTemplate sms:GetApp sms:GetAppLaunchConfiguration sms:GetAppReplicationConfiguration sms:GetAppValidationConfiguration sms:GetAppValidationOutput sms:GetConnectors sms:GetReplicationJobs sms:GetReplicationRuns sms:GetServers sms:ImportAppCatalog sms:ImportServerCatalog sms:LaunchApp sms:ListApps sms:NotifyAppValidationOutput sms:PutAppLaunchConfiguration sms:PutAppReplicationConfiguration sms:PutAppValidationConfiguration sms:StartAppReplication sms:StartOnDemandAppReplication sms:StartOnDemandReplicationRun sms:StopAppReplication sms:TerminateApp sms:UpdateApp sms:UpdateReplicationJob |
| sms-voice | sms-voice:AssociateProtectConfiguration sms-voice:CreateConfigurationSet sms-voice:CreateConfigurationSetEventDestination sms-voice:CreateEventDestination sms-voice:CreateOptOutList sms-voice:CreatePool sms-voice:CreateProtectConfiguration sms-voice:CreateRegistration sms-voice:CreateRegistrationAssociation sms-voice:CreateRegistrationAttachment sms-voice:CreateRegistrationVersion sms-voice:CreateVerifiedDestinationNumber sms-voice:DeleteAccountDefaultProtectConfiguration sms-voice:DeleteConfigurationSet sms-voice:DeleteConfigurationSetEventDestination sms-voice:DeleteDefaultMessageType sms-voice:DeleteDefaultSenderId sms-voice:DeleteEventDestination sms-voice:DeleteKeyword sms-voice:DeleteMediaMessageSpendLimitOverride sms-voice:DeleteOptOutList sms-voice:DeleteOptedOutNumber sms-voice:DeletePool sms-voice:DeleteProtectConfiguration sms-voice:DeleteProtectConfigurationRuleSetNumberOverride sms-voice:DeleteRegistration sms-voice:DeleteRegistrationAttachment sms-voice:DeleteResourcePolicy sms-voice:DeleteTextMessageSpendLimitOverride sms-voice:DeleteVerifiedDestinationNumber sms-voice:DeleteVoiceMessageSpendLimitOverride sms-voice:DescribeAccountAttributes sms-voice:DescribeAccountLimits sms-voice:DescribeConfigurationSets sms-voice:DescribeKeywords sms-voice:DescribeOptOutLists sms-voice:DescribeOptedOutNumbers sms-voice:DescribePhoneNumbers sms-voice:DescribePools sms-voice:DescribeProtectConfigurations sms-voice:DescribeRegistrationAttachments sms-voice:DescribeRegistrationFieldDefinitions sms-voice:DescribeRegistrationFieldValues sms-voice:DescribeRegistrationSectionDefinitions sms-voice:DescribeRegistrationTypeDefinitions sms-voice:DescribeRegistrationVersions sms-voice:DescribeRegistrations sms-voice:DescribeSenderIds sms-voice:DescribeSpendLimits sms-voice:DescribeVerifiedDestinationNumbers sms-voice:DisassociateOriginationIdentity sms-voice:DisassociateProtectConfiguration sms-voice:DiscardRegistrationVersion sms-voice:GetConfigurationSetEventDestinations sms-voice:GetProtectConfigurationCountryRuleSet sms-voice:GetResourcePolicy sms-voice:ListConfigurationSets sms-voice:ListPoolOriginationIdentities sms-voice:ListProtectConfigurationRuleSetNumberOverrides sms-voice:ListRegistrationAssociations sms-voice:PutKeyword sms-voice:PutOptedOutNumber sms-voice:PutProtectConfigurationRuleSetNumberOverride sms-voice:PutResourcePolicy sms-voice:ReleasePhoneNumber sms-voice:ReleaseSenderId sms-voice:RequestPhoneNumber sms-voice:RequestSenderId sms-voice:SendDestinationNumberVerificationCode sms-voice:SetAccountDefaultProtectConfiguration sms-voice:SetDefaultMessageFeedbackEnabled sms-voice:SetDefaultMessageType sms-voice:SetDefaultSenderId sms-voice:SetMediaMessageSpendLimitOverride sms-voice:SetTextMessageSpendLimitOverride sms-voice:SetVoiceMessageSpendLimitOverride sms-voice:SubmitRegistrationVersion sms-voice:UpdateConfigurationSetEventDestination sms-voice:UpdateEventDestination sms-voice:UpdatePhoneNumber sms-voice:UpdatePool sms-voice:UpdateProtectConfiguration sms-voice:UpdateProtectConfigurationCountryRuleSet sms-voice:UpdateSenderId |
| snowball | snowball:CancelCluster snowball:CancelJob snowball:CreateAddress snowball:CreateCluster snowball:CreateJob snowball:CreateLongTermPricing snowball:CreateReturnShippingLabel snowball:DescribeAddress snowball:DescribeAddresses snowball:DescribeCluster snowball:DescribeJob snowball:DescribeReturnShippingLabel snowball:GetJobManifest snowball:GetJobUnlockCode snowball:GetSnowballUsage snowball:GetSoftwareUpdates snowball:ListClusterJobs snowball:ListClusters snowball:ListCompatibleImages snowball:ListJobs snowball:ListLongTermPricing snowball:ListPickupLocations snowball:ListServiceVersions snowball:UpdateCluster snowball:UpdateJob snowball:UpdateJobShipmentState snowball:UpdateLongTermPricing |
| sqs | sqs:AddPermission sqs:CancelMessageMoveTask sqs:CreateQueue sqs:DeleteQueue sqs:PurgeQueue sqs:RemovePermission sqs:SetQueueAttributes |
| ssm | ssm:AssociateOpsItemRelatedItem ssm:CancelCommand ssm:CancelMaintenanceWindowExecution ssm:CreateActivation ssm:CreateAssociation ssm:CreateAssociationBatch ssm:CreateDocument ssm:CreateMaintenanceWindow ssm:CreateOpsItem ssm:CreateOpsMetadata ssm:CreatePatchBaseline ssm:CreateResourceDataSync ssm:DeleteActivation ssm:DeleteAssociation ssm:DeleteDocument ssm:DeleteInventory ssm:DeleteMaintenanceWindow ssm:DeleteOpsItem ssm:DeleteOpsMetadata ssm:DeleteParameter ssm:DeleteParameters ssm:DeletePatchBaseline ssm:DeleteResourceDataSync ssm:DeleteResourcePolicy ssm:DeregisterManagedInstance ssm:DeregisterPatchBaselineForPatchGroup ssm:DeregisterTargetFromMaintenanceWindow ssm:DeregisterTaskFromMaintenanceWindow ssm:DescribeActivations ssm:DescribeAssociation ssm:DescribeAssociationExecutionTargets ssm:DescribeAssociationExecutions ssm:DescribeAutomationExecutions ssm:DescribeAutomationStepExecutions ssm:DescribeAvailablePatches ssm:DescribeDocument ssm:DescribeDocumentParameters ssm:DescribeDocumentPermission ssm:DescribeEffectiveInstanceAssociations ssm:DescribeEffectivePatchesForPatchBaseline ssm:DescribeInstanceAssociationsStatus ssm:DescribeInstanceInformation ssm:DescribeInstancePatchStates ssm:DescribeInstancePatchStatesForPatchGroup ssm:DescribeInstancePatches ssm:DescribeInstanceProperties ssm:DescribeInventoryDeletions ssm:DescribeMaintenanceWindowExecutionTaskInvocations ssm:DescribeMaintenanceWindowExecutionTasks ssm:DescribeMaintenanceWindowExecutions ssm:DescribeMaintenanceWindowSchedule ssm:DescribeMaintenanceWindowTargets ssm:DescribeMaintenanceWindowTasks ssm:DescribeMaintenanceWindows ssm:DescribeMaintenanceWindowsForTarget ssm:DescribeOpsItems ssm:DescribeParameters ssm:DescribePatchBaselines ssm:DescribePatchGroupState ssm:DescribePatchGroups ssm:DescribePatchProperties ssm:DescribeSessions ssm:DisassociateOpsItemRelatedItem ssm:GetAccessToken ssm:GetAutomationExecution ssm:GetCalendarState ssm:GetCommandInvocation ssm:GetConnectionStatus ssm:GetDefaultPatchBaseline ssm:GetDeployablePatchSnapshotForInstance ssm:GetDocument ssm:GetExecutionPreview ssm:GetInventory ssm:GetInventorySchema ssm:GetMaintenanceWindow ssm:GetMaintenanceWindowExecution ssm:GetMaintenanceWindowExecutionTask ssm:GetMaintenanceWindowExecutionTaskInvocation ssm:GetMaintenanceWindowTask ssm:GetOpsItem ssm:GetOpsMetadata ssm:GetOpsSummary ssm:GetParameter ssm:GetParameterHistory ssm:GetParameters ssm:GetParametersByPath ssm:GetPatchBaseline ssm:GetPatchBaselineForPatchGroup ssm:GetResourcePolicies ssm:GetServiceSetting ssm:LabelParameterVersion ssm:ListAssociationVersions ssm:ListAssociations ssm:ListCommandInvocations ssm:ListCommands ssm:ListComplianceItems ssm:ListComplianceSummaries ssm:ListDocumentMetadataHistory ssm:ListDocumentVersions ssm:ListDocuments ssm:ListInstanceAssociations ssm:ListInventoryEntries ssm:ListNodes ssm:ListNodesSummary ssm:ListOpsItemEvents ssm:ListOpsItemRelatedItems ssm:ListOpsMetadata ssm:ListResourceComplianceSummaries ssm:ListResourceDataSync ssm:ModifyDocumentPermission ssm:PutComplianceItems ssm:PutInventory ssm:PutParameter ssm:PutResourcePolicy ssm:RegisterDefaultPatchBaseline ssm:RegisterManagedInstance ssm:RegisterPatchBaselineForPatchGroup ssm:RegisterTargetWithMaintenanceWindow ssm:RegisterTaskWithMaintenanceWindow ssm:ResetServiceSetting ssm:ResumeSession ssm:SendAutomationSignal ssm:SendCommand ssm:StartAssociationsOnce ssm:StartAutomationExecution ssm:StartChangeRequestExecution ssm:StartSession ssm:StopAutomationExecution ssm:TerminateSession ssm:UnlabelParameterVersion ssm:UpdateAssociation ssm:UpdateAssociationStatus ssm:UpdateDocument ssm:UpdateDocumentDefaultVersion ssm:UpdateDocumentMetadata ssm:UpdateInstanceInformation ssm:UpdateMaintenanceWindow ssm:UpdateMaintenanceWindowTarget ssm:UpdateMaintenanceWindowTask ssm:UpdateManagedInstanceRole ssm:UpdateOpsItem ssm:UpdateOpsMetadata ssm:UpdatePatchBaseline ssm:UpdateResourceDataSync ssm:UpdateServiceSetting |
| ssm-incidents | ssm-incidents:BatchGetIncidentFindings ssm-incidents:CreateReplicationSet ssm-incidents:CreateResponsePlan ssm-incidents:CreateTimelineEvent ssm-incidents:DeleteIncidentRecord ssm-incidents:DeleteReplicationSet ssm-incidents:DeleteResourcePolicy ssm-incidents:DeleteResponsePlan ssm-incidents:DeleteTimelineEvent ssm-incidents:GetIncidentRecord ssm-incidents:GetReplicationSet ssm-incidents:GetResourcePolicies ssm-incidents:GetResponsePlan ssm-incidents:GetTimelineEvent ssm-incidents:ListIncidentFindings ssm-incidents:ListIncidentRecords ssm-incidents:ListRelatedItems ssm-incidents:ListReplicationSets ssm-incidents:ListResponsePlans ssm-incidents:ListTimelineEvents ssm-incidents:PutResourcePolicy ssm-incidents:StartIncident ssm-incidents:UpdateDeletionProtection ssm-incidents:UpdateIncidentRecord ssm-incidents:UpdateRelatedItems ssm-incidents:UpdateReplicationSet ssm-incidents:UpdateResponsePlan ssm-incidents:UpdateTimelineEvent |
| ssm-sap | ssm-sap:BackupDatabase ssm-sap:DeleteResourcePermission ssm-sap:DeregisterApplication ssm-sap:GetApplication ssm-sap:GetComponent ssm-sap:GetConfigurationCheckOperation ssm-sap:GetDatabase ssm-sap:GetOperation ssm-sap:GetResourcePermission ssm-sap:ListApplications ssm-sap:ListComponents ssm-sap:ListConfigurationCheckDefinitions ssm-sap:ListConfigurationCheckOperations ssm-sap:ListDatabases ssm-sap:ListOperationEvents ssm-sap:ListOperations ssm-sap:ListSubCheckResults ssm-sap:ListSubCheckRuleResults ssm-sap:PutResourcePermission ssm-sap:RegisterApplication ssm-sap:RestoreDatabase ssm-sap:StartApplication ssm-sap:StartApplicationRefresh ssm-sap:StartConfigurationChecks ssm-sap:StopApplication ssm-sap:UpdateApplicationSettings ssm-sap:UpdateHANABackupSettings |
| states | states:CreateActivity states:CreateStateMachine states:CreateStateMachineAlias states:DeleteActivity states:DeleteStateMachine states:DeleteStateMachineAlias states:DeleteStateMachineVersion states:DescribeActivity states:DescribeExecution states:DescribeMapRun states:DescribeStateMachine states:DescribeStateMachineAlias states:DescribeStateMachineForExecution states:GetExecutionHistory states:ListActivities states:ListExecutions states:ListMapRuns states:ListStateMachineAliases states:ListStateMachineVersions states:ListStateMachines states:SendTaskFailure states:SendTaskHeartbeat states:SendTaskSuccess states:StartExecution states:StopExecution states:UpdateMapRun states:UpdateStateMachine states:UpdateStateMachineAlias states:ValidateStateMachineDefinition |
| sts | sts:AssumeRole sts:AssumeRoleWithSAML sts:AssumeRoleWithWebIdentity sts:DecodeAuthorizationMessage sts:GetAccessKeyInfo sts:GetCallerIdentity sts:GetFederationToken sts:GetSessionToken sts:GetWebIdentityToken |
| swf | swf:DeleteActivityType swf:DeleteWorkflowType swf:DeprecateActivityType swf:DeprecateDomain swf:DeprecateWorkflowType swf:DescribeActivityType swf:DescribeDomain swf:DescribeWorkflowType swf:ListActivityTypes swf:ListDomains swf:ListWorkflowTypes swf:RegisterActivityType swf:RegisterDomain swf:RegisterWorkflowType swf:UndeprecateActivityType swf:UndeprecateDomain swf:UndeprecateWorkflowType |
| synthetics | synthetics:AssociateResource synthetics:CreateCanary synthetics:CreateGroup synthetics:DeleteCanary synthetics:DeleteGroup synthetics:DescribeCanaries synthetics:DescribeCanariesLastRun synthetics:DescribeRuntimeVersions synthetics:DisassociateResource synthetics:GetCanary synthetics:GetCanaryRuns synthetics:GetGroup synthetics:ListAssociatedGroups synthetics:ListGroupResources synthetics:ListGroups synthetics:StartCanary synthetics:StartCanaryDryRun synthetics:StopCanary synthetics:UpdateCanary |
| tag | tag:DescribeReportCreation tag:GetComplianceSummary tag:GetResources tag:StartReportCreation |
| textract | textract:AnalyzeDocument textract:AnalyzeExpense textract:AnalyzeID textract:CreateAdapter textract:CreateAdapterVersion textract:DeleteAdapter textract:DeleteAdapterVersion textract:DetectDocumentText textract:GetAdapter textract:GetAdapterVersion textract:GetDocumentAnalysis textract:GetDocumentTextDetection textract:GetExpenseAnalysis textract:GetLendingAnalysis textract:GetLendingAnalysisSummary textract:ListAdapterVersions textract:ListAdapters textract:StartDocumentAnalysis textract:StartDocumentTextDetection textract:StartExpenseAnalysis textract:StartLendingAnalysis textract:UpdateAdapter |
| timestream | timestream:CancelQuery timestream:CreateDatabase timestream:CreateScheduledQuery timestream:CreateTable timestream:DeleteDatabase timestream:DeleteScheduledQuery timestream:DeleteTable timestream:DescribeAccountSettings timestream:DescribeDatabase timestream:DescribeScheduledQuery timestream:DescribeTable timestream:ExecuteScheduledQuery timestream:ListBatchLoadTasks timestream:ListDatabases timestream:ListScheduledQueries timestream:ListTables timestream:PrepareQuery timestream:UpdateAccountSettings timestream:UpdateDatabase timestream:UpdateScheduledQuery timestream:UpdateTable |
| tnb | tnb:CancelSolNetworkOperation tnb:CreateSolFunctionPackage tnb:CreateSolNetworkInstance tnb:CreateSolNetworkPackage tnb:DeleteSolFunctionPackage tnb:DeleteSolNetworkInstance tnb:DeleteSolNetworkPackage tnb:GetSolFunctionInstance tnb:GetSolFunctionPackage tnb:GetSolFunctionPackageContent tnb:GetSolFunctionPackageDescriptor tnb:GetSolNetworkInstance tnb:GetSolNetworkOperation tnb:GetSolNetworkPackage tnb:GetSolNetworkPackageContent tnb:GetSolNetworkPackageDescriptor tnb:InstantiateSolNetworkInstance tnb:ListSolFunctionInstances tnb:ListSolFunctionPackages tnb:ListSolNetworkInstances tnb:ListSolNetworkOperations tnb:ListSolNetworkPackages tnb:PutSolFunctionPackageContent tnb:PutSolNetworkPackageContent tnb:TerminateSolNetworkInstance tnb:UpdateSolFunctionPackage tnb:UpdateSolNetworkInstance tnb:UpdateSolNetworkPackage tnb:ValidateSolFunctionPackageContent tnb:ValidateSolNetworkPackageContent |
| transcribe | transcribe:CreateCallAnalyticsCategory transcribe:CreateLanguageModel transcribe:CreateMedicalVocabulary transcribe:CreateVocabulary transcribe:CreateVocabularyFilter transcribe:DeleteCallAnalyticsCategory transcribe:DeleteCallAnalyticsJob transcribe:DeleteLanguageModel transcribe:DeleteMedicalScribeJob transcribe:DeleteMedicalTranscriptionJob transcribe:DeleteMedicalVocabulary transcribe:DeleteTranscriptionJob transcribe:DeleteVocabulary transcribe:DeleteVocabularyFilter transcribe:DescribeLanguageModel transcribe:GetCallAnalyticsCategory transcribe:GetCallAnalyticsJob transcribe:GetMedicalScribeJob transcribe:GetMedicalTranscriptionJob transcribe:GetMedicalVocabulary transcribe:GetTranscriptionJob transcribe:GetVocabulary transcribe:GetVocabularyFilter transcribe:ListCallAnalyticsCategories transcribe:ListCallAnalyticsJobs transcribe:ListLanguageModels transcribe:ListMedicalScribeJobs transcribe:ListMedicalTranscriptionJobs transcribe:ListMedicalVocabularies transcribe:ListTranscriptionJobs transcribe:ListVocabularies transcribe:ListVocabularyFilters transcribe:StartCallAnalyticsJob transcribe:StartCallAnalyticsStreamTranscription transcribe:StartCallAnalyticsStreamTranscriptionWebSocket transcribe:StartMedicalScribeJob transcribe:StartMedicalStreamTranscription transcribe:StartMedicalStreamTranscriptionWebSocket transcribe:StartMedicalTranscriptionJob transcribe:StartStreamTranscription transcribe:StartStreamTranscriptionWebSocket transcribe:StartTranscriptionJob transcribe:UpdateCallAnalyticsCategory transcribe:UpdateMedicalVocabulary transcribe:UpdateVocabulary transcribe:UpdateVocabularyFilter |
| transfer | transfer:CreateAccess transfer:CreateAgreement transfer:CreateConnector transfer:CreateProfile transfer:CreateServer transfer:CreateUser transfer:CreateWebApp transfer:CreateWorkflow transfer:DeleteAccess transfer:DeleteAgreement transfer:DeleteCertificate transfer:DeleteConnector transfer:DeleteHostKey transfer:DeleteProfile transfer:DeleteServer transfer:DeleteSshPublicKey transfer:DeleteUser transfer:DeleteWebApp transfer:DeleteWebAppCustomization transfer:DeleteWorkflow transfer:DescribeAccess transfer:DescribeAgreement transfer:DescribeCertificate transfer:DescribeConnector transfer:DescribeExecution transfer:DescribeHostKey transfer:DescribeProfile transfer:DescribeSecurityPolicy transfer:DescribeServer transfer:DescribeUser transfer:DescribeWebApp transfer:DescribeWebAppCustomization transfer:DescribeWorkflow transfer:ImportCertificate transfer:ImportHostKey transfer:ImportSshPublicKey transfer:ListAccesses transfer:ListCertificates transfer:ListConnectors transfer:ListExecutions transfer:ListFileTransferResults transfer:ListHostKeys transfer:ListProfiles transfer:ListSecurityPolicies transfer:ListServers transfer:ListUsers transfer:ListWebApps transfer:ListWorkflows transfer:SendWorkflowStepState transfer:StartDirectoryListing transfer:StartFileTransfer transfer:StartRemoteDelete transfer:StartRemoteMove transfer:StartServer transfer:StopServer transfer:TestConnection transfer:TestIdentityProvider transfer:UpdateAccess transfer:UpdateAgreement transfer:UpdateCertificate transfer:UpdateConnector transfer:UpdateHostKey transfer:UpdateProfile transfer:UpdateServer transfer:UpdateUser transfer:UpdateWebApp transfer:UpdateWebAppCustomization |
| translate | translate:CreateParallelData translate:DeleteParallelData translate:DeleteTerminology translate:DescribeTextTranslationJob translate:GetParallelData translate:GetTerminology translate:ImportTerminology translate:ListLanguages translate:ListParallelData translate:ListTerminologies translate:ListTextTranslationJobs translate:StartTextTranslationJob translate:StopTextTranslationJob translate:TranslateDocument translate:TranslateText translate:UpdateParallelData |
| voiceid | voiceid:AssociateFraudster voiceid:CreateDomain voiceid:CreateWatchlist voiceid:DeleteDomain voiceid:DeleteFraudster voiceid:DeleteSpeaker voiceid:DeleteWatchlist voiceid:DescribeDomain voiceid:DescribeFraudster voiceid:DescribeFraudsterRegistrationJob voiceid:DescribeSpeaker voiceid:DescribeSpeakerEnrollmentJob voiceid:DescribeWatchlist voiceid:DisassociateFraudster voiceid:EvaluateSession voiceid:ListDomains voiceid:ListFraudsterRegistrationJobs voiceid:ListFraudsters voiceid:ListSpeakerEnrollmentJobs voiceid:ListSpeakers voiceid:ListWatchlists voiceid:OptOutSpeaker voiceid:StartFraudsterRegistrationJob voiceid:StartSpeakerEnrollmentJob voiceid:UpdateDomain voiceid:UpdateWatchlist |
| vpc-lattice | vpc-lattice:CreateAccessLogSubscription vpc-lattice:CreateListener vpc-lattice:CreateResourceConfiguration vpc-lattice:CreateResourceGateway vpc-lattice:CreateRule vpc-lattice:CreateService vpc-lattice:CreateServiceNetwork vpc-lattice:CreateServiceNetworkResourceAssociation vpc-lattice:CreateServiceNetworkServiceAssociation vpc-lattice:CreateServiceNetworkVpcAssociation vpc-lattice:CreateTargetGroup vpc-lattice:DeleteAccessLogSubscription vpc-lattice:DeleteAuthPolicy vpc-lattice:DeleteDomainVerification vpc-lattice:DeleteListener vpc-lattice:DeleteResourceConfiguration vpc-lattice:DeleteResourceEndpointAssociation vpc-lattice:DeleteResourceGateway vpc-lattice:DeleteResourcePolicy vpc-lattice:DeleteRule vpc-lattice:DeleteService vpc-lattice:DeleteServiceNetwork vpc-lattice:DeleteServiceNetworkResourceAssociation vpc-lattice:DeleteServiceNetworkServiceAssociation vpc-lattice:DeleteServiceNetworkVpcAssociation vpc-lattice:DeleteTargetGroup vpc-lattice:DeregisterTargets vpc-lattice:GetAccessLogSubscription vpc-lattice:GetAuthPolicy vpc-lattice:GetDomainVerification vpc-lattice:GetListener vpc-lattice:GetResourceConfiguration vpc-lattice:GetResourceGateway vpc-lattice:GetResourcePolicy vpc-lattice:GetRule vpc-lattice:GetService vpc-lattice:GetServiceNetwork vpc-lattice:GetServiceNetworkResourceAssociation vpc-lattice:GetServiceNetworkServiceAssociation vpc-lattice:GetServiceNetworkVpcAssociation vpc-lattice:GetTargetGroup vpc-lattice:ListAccessLogSubscriptions vpc-lattice:ListDomainVerifications vpc-lattice:ListListeners vpc-lattice:ListResourceConfigurations vpc-lattice:ListResourceEndpointAssociations vpc-lattice:ListResourceGateways vpc-lattice:ListRules vpc-lattice:ListServiceNetworkResourceAssociations vpc-lattice:ListServiceNetworkServiceAssociations vpc-lattice:ListServiceNetworkVpcAssociations vpc-lattice:ListServiceNetworkVpcEndpointAssociations vpc-lattice:ListServiceNetworks vpc-lattice:ListServices vpc-lattice:ListTargetGroups vpc-lattice:ListTargets vpc-lattice:PutAuthPolicy vpc-lattice:PutResourcePolicy vpc-lattice:RegisterTargets vpc-lattice:StartDomainVerification vpc-lattice:UpdateAccessLogSubscription vpc-lattice:UpdateListener vpc-lattice:UpdateResourceConfiguration vpc-lattice:UpdateResourceGateway vpc-lattice:UpdateRule vpc-lattice:UpdateService vpc-lattice:UpdateServiceNetwork vpc-lattice:UpdateServiceNetworkVpcAssociation vpc-lattice:UpdateTargetGroup |
| wafv2 | wafv2:AssociateWebACL wafv2:CheckCapacity wafv2:CreateAPIKey wafv2:CreateIPSet wafv2:CreateRegexPatternSet wafv2:CreateRuleGroup wafv2:CreateWebACL wafv2:DeleteAPIKey wafv2:DeleteFirewallManagerRuleGroups wafv2:DeleteIPSet wafv2:DeleteLoggingConfiguration wafv2:DeletePermissionPolicy wafv2:DeleteRegexPatternSet wafv2:DeleteRuleGroup wafv2:DeleteWebACL wafv2:DescribeAllManagedProducts wafv2:DescribeManagedProductsByVendor wafv2:DescribeManagedRuleGroup wafv2:DisassociateWebACL wafv2:GenerateMobileSdkReleaseUrl wafv2:GetDecryptedAPIKey wafv2:GetIPSet wafv2:GetLoggingConfiguration wafv2:GetManagedRuleSet wafv2:GetMobileSdkRelease wafv2:GetRateBasedStatementManagedKeys wafv2:GetRegexPatternSet wafv2:GetRuleGroup wafv2:GetSampledRequests wafv2:GetWebACLForResource wafv2:ListAPIKeys wafv2:ListAvailableManagedRuleGroupVersions wafv2:ListAvailableManagedRuleGroups wafv2:ListIPSets wafv2:ListLoggingConfigurations wafv2:ListManagedRuleSets wafv2:ListMobileSdkReleases wafv2:ListRegexPatternSets wafv2:ListResourcesForWebACL wafv2:ListRuleGroups wafv2:ListWebACLs wafv2:PutLoggingConfiguration wafv2:PutManagedRuleSetVersions wafv2:UpdateIPSet wafv2:UpdateManagedRuleSetVersionExpiryDate wafv2:UpdateRegexPatternSet wafv2:UpdateRuleGroup wafv2:UpdateWebACL |
| wellarchitected | wellarchitected:AssociateLenses wellarchitected:AssociateProfiles wellarchitected:CreateLensShare wellarchitected:CreateLensVersion wellarchitected:CreateMilestone wellarchitected:CreateProfile wellarchitected:CreateProfileShare wellarchitected:CreateReviewTemplate wellarchitected:CreateWorkload wellarchitected:CreateWorkloadShare wellarchitected:DeleteLens wellarchitected:DeleteLensShare wellarchitected:DeleteProfile wellarchitected:DeleteProfileShare wellarchitected:DeleteReviewTemplate wellarchitected:DeleteTemplateShare wellarchitected:DeleteWorkload wellarchitected:DeleteWorkloadShare wellarchitected:DisassociateLenses wellarchitected:DisassociateProfiles wellarchitected:ExportLens wellarchitected:GetAnswer wellarchitected:GetConsolidatedReport wellarchitected:GetGlobalSettings wellarchitected:GetLens wellarchitected:GetLensReview wellarchitected:GetLensReviewReport wellarchitected:GetLensVersionDifference wellarchitected:GetMilestone wellarchitected:GetProfile wellarchitected:GetProfileTemplate wellarchitected:GetReviewTemplate wellarchitected:GetReviewTemplateAnswer wellarchitected:GetReviewTemplateLensReview wellarchitected:GetWorkload wellarchitected:ImportLens wellarchitected:ListAnswers wellarchitected:ListCheckDetails wellarchitected:ListCheckSummaries wellarchitected:ListLensReviewImprovements wellarchitected:ListLensReviews wellarchitected:ListLensShares wellarchitected:ListLenses wellarchitected:ListMilestones wellarchitected:ListNotifications wellarchitected:ListProfileNotifications wellarchitected:ListProfileShares wellarchitected:ListProfiles wellarchitected:ListReviewTemplateAnswers wellarchitected:ListReviewTemplates wellarchitected:ListShareInvitations wellarchitected:ListTemplateShares wellarchitected:ListWorkloadShares wellarchitected:ListWorkloads wellarchitected:UpdateAnswer wellarchitected:UpdateGlobalSettings wellarchitected:UpdateIntegration wellarchitected:UpdateLensReview wellarchitected:UpdateProfile wellarchitected:UpdateReviewTemplate wellarchitected:UpdateReviewTemplateLensReview wellarchitected:UpdateShareInvitation wellarchitected:UpdateWorkload wellarchitected:UpdateWorkloadShare wellarchitected:UpgradeLensReview wellarchitected:UpgradeProfileVersion wellarchitected:UpgradeReviewTemplateLensReview |
| wisdom | wisdom:CreateAssistant wisdom:CreateAssistantAssociation wisdom:CreateContent wisdom:CreateKnowledgeBase wisdom:CreateQuickResponse wisdom:CreateSession wisdom:DeleteAssistant wisdom:DeleteAssistantAssociation wisdom:DeleteContent wisdom:DeleteImportJob wisdom:DeleteKnowledgeBase wisdom:DeleteQuickResponse wisdom:GetAssistant wisdom:GetAssistantAssociation wisdom:GetContent wisdom:GetContentAssociation wisdom:GetContentSummary wisdom:GetImportJob wisdom:GetKnowledgeBase wisdom:GetRecommendations wisdom:GetSession wisdom:ListAssistantAssociations wisdom:ListAssistants wisdom:ListContentAssociations wisdom:ListContents wisdom:ListImportJobs wisdom:ListKnowledgeBases wisdom:ListQuickResponses wisdom:NotifyRecommendationsReceived wisdom:QueryAssistant wisdom:RemoveKnowledgeBaseTemplateUri wisdom:SearchContent wisdom:SearchQuickResponses wisdom:SearchSessions wisdom:StartContentUpload wisdom:StartImportJob wisdom:UpdateContent wisdom:UpdateKnowledgeBaseTemplateUri wisdom:UpdateQuickResponse wisdom:UpdateSession |
| worklink | worklink:AssociateDomain worklink:AssociateWebsiteAuthorizationProvider worklink:AssociateWebsiteCertificateAuthority worklink:CreateFleet worklink:DeleteFleet worklink:DescribeAuditStreamConfiguration worklink:DescribeCompanyNetworkConfiguration worklink:DescribeDevice worklink:DescribeDevicePolicyConfiguration worklink:DescribeDomain worklink:DescribeFleetMetadata worklink:DescribeIdentityProviderConfiguration worklink:DescribeWebsiteCertificateAuthority worklink:DisassociateDomain worklink:DisassociateWebsiteAuthorizationProvider worklink:DisassociateWebsiteCertificateAuthority worklink:ListDevices worklink:ListDomains worklink:ListFleets worklink:ListWebsiteAuthorizationProviders worklink:ListWebsiteCertificateAuthorities worklink:RestoreDomainAccess worklink:RevokeDomainAccess worklink:SignOutUser worklink:UpdateAuditStreamConfiguration worklink:UpdateCompanyNetworkConfiguration worklink:UpdateDevicePolicyConfiguration worklink:UpdateDomainMetadata worklink:UpdateFleetMetadata worklink:UpdateIdentityProviderConfiguration |
| workspaces | workspaces:AcceptAccountLinkInvitation workspaces:AssociateConnectionAlias workspaces:AssociateIpGroups workspaces:AssociateWorkspaceApplication workspaces:CopyWorkspaceImage workspaces:CreateAccountLinkInvitation workspaces:CreateConnectClientAddIn workspaces:CreateConnectionAlias workspaces:CreateIpGroup workspaces:CreateStandbyWorkspaces workspaces:CreateUpdatedWorkspaceImage workspaces:CreateWorkspaceBundle workspaces:CreateWorkspaceImage workspaces:CreateWorkspaces workspaces:CreateWorkspacesPool workspaces:DeleteAccountLinkInvitation workspaces:DeleteClientBranding workspaces:DeleteConnectClientAddIn workspaces:DeleteConnectionAlias workspaces:DeleteIpGroup workspaces:DeleteWorkspaceBundle workspaces:DeleteWorkspaceImage workspaces:DeployWorkspaceApplications workspaces:DeregisterWorkspaceDirectory workspaces:DescribeAccount workspaces:DescribeAccountModifications workspaces:DescribeApplicationAssociations workspaces:DescribeApplications workspaces:DescribeBundleAssociations workspaces:DescribeClientBranding workspaces:DescribeClientProperties workspaces:DescribeConnectClientAddIns workspaces:DescribeConnectionAliasPermissions workspaces:DescribeConnectionAliases workspaces:DescribeCustomWorkspaceImageImport workspaces:DescribeImageAssociations workspaces:DescribeIpGroups workspaces:DescribeWorkspaceAssociations workspaces:DescribeWorkspaceBundles workspaces:DescribeWorkspaceDirectories workspaces:DescribeWorkspaceImagePermissions workspaces:DescribeWorkspaceSnapshots workspaces:DescribeWorkspaces workspaces:DescribeWorkspacesConnectionStatus workspaces:DescribeWorkspacesPoolSessions workspaces:DescribeWorkspacesPools workspaces:DisassociateConnectionAlias workspaces:DisassociateIpGroups workspaces:DisassociateWorkspaceApplication workspaces:GetAccountLink workspaces:ImportClientBranding workspaces:ImportWorkspaceImage workspaces:ListAccountLinks workspaces:ListAvailableManagementCidrRanges workspaces:MigrateWorkspace workspaces:ModifyAccount workspaces:ModifyCertificateBasedAuthProperties workspaces:ModifyClientProperties workspaces:ModifyEndpointEncryptionMode workspaces:ModifySamlProperties workspaces:ModifySelfservicePermissions workspaces:ModifyStreamingProperties workspaces:ModifyWorkspaceAccessProperties workspaces:ModifyWorkspaceCreationProperties workspaces:ModifyWorkspaceProperties workspaces:ModifyWorkspaceState workspaces:RebootWorkspaces workspaces:RebuildWorkspaces workspaces:RegisterWorkspaceDirectory workspaces:RejectAccountLinkInvitation workspaces:RestoreWorkspace workspaces:StartWorkspaces workspaces:StartWorkspacesPool workspaces:StopWorkspaces workspaces:StopWorkspacesPool workspaces:TerminateWorkspaces workspaces:TerminateWorkspacesPool workspaces:TerminateWorkspacesPoolSession workspaces:UpdateConnectClientAddIn workspaces:UpdateConnectionAliasPermission workspaces:UpdateWorkspaceBundle workspaces:UpdateWorkspaceImagePermission workspaces:UpdateWorkspacesPool |
| xray | xray:CreateGroup xray:CreateSamplingRule xray:DeleteGroup xray:DeleteResourcePolicy xray:DeleteSamplingRule xray:GetEncryptionConfig xray:GetGroup xray:GetGroups xray:GetInsight xray:GetInsightEvents xray:GetInsightImpactGraph xray:GetInsightSummaries xray:GetSamplingRules xray:ListResourcePolicies xray:PutEncryptionConfig xray:PutResourcePolicy xray:UpdateGroup xray:UpdateSamplingRule |
# Policy summaries
The IAM console includes *policy summary* tables that describe the access level, resources, and conditions that are allowed or denied for each service in a policy. Policies are summarized in three tables: the [policy summary](access_policies_understand-policy-summary.md), the [service summary](access_policies_understand-service-summary.md), and the [action summary](access_policies_understand-action-summary.md). The *policy summary* table includes a list of services. Choose a service there to see the *service summary*. This summary table includes a list of the actions and associated permissions for the chosen service. You can choose an action from that table to view the *action summary*. This table includes a list of resources and conditions for the chosen action.
![\[Policy summaries diagram image that illustrates the 3 tables and their relationship\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_summaries-diagram.png)
You can view policy summaries on the **Users** page or **Roles** page for all policies (managed and inline) that are attached to that user. View summaries on the **Policies** page for all managed policies. Managed policies include AWS managed policies, AWS managed job function policies, and customer managed policies. You can view summaries for these policies on the **Policies** page regardless of whether they are attached to a user or other IAM identity.
You can use the information in the policy summaries to understand the permissions that are allowed or denied by your policy. Policy summaries can help you [troubleshoot](troubleshoot_policies.md) and fix policies that are not providing the permissions that you expect.
**Topics**
+ [Policy summary (list of services)](access_policies_understand-policy-summary.md)
+ [Access levels in policy summaries](access_policies_understand-policy-summary-access-level-summaries.md)
+ [Service summary (list of actions)](access_policies_understand-service-summary.md)
+ [Action summary (list of resources)](access_policies_understand-action-summary.md)
+ [Examples of policy summaries](access_policies_policy-summary-examples.md)
# Policy summary (list of services)
Policies are summarized in three tables: the policy summary, the [service summary](access_policies_understand-service-summary.md), and the [action summary](access_policies_understand-action-summary.md). The *policy summary* table includes a list of services and summaries of the permissions that are defined by the chosen policy.
![\[Policy summaries diagram image that illustrates the 3 tables and their relationship\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_summaries-pol-sum.png)
The policy summary table is grouped into one or more **Uncategorized services**, **Explicit deny**, and **Allow** sections. If the policy includes a service that IAM does not recognize, then the service is included in the **Uncategorized services** section of the table. If IAM recognizes the service, then it is included under the **Explicit deny** or **Allow** sections of the table, depending on the effect of the policy (`Deny` or `Allow`).
## Understanding the elements of a policy summary
In the following example of a policy details page, the **SummaryAllElements** policy is a managed policy (customer managed policy) that is attached directly to the user. This policy is expanded to show the policy summary.
![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-user-page-dialog.png)
In the preceding image, the policy summary is visible from within the **Policies** page:
1. The **Permissions** tab includes the permissions defined in the policy.
1. If the policy does not grant permissions to all the actions, resources, and conditions defined in the policy, then a warning or error banner appears at the top of the page. The policy summary then includes details about the problem. To learn how policy summaries help you to understand and troubleshoot the permissions that your policy grants, see [My policy does not grant the expected permissions](troubleshoot_policies.md#policy-summary-not-grant-permissions).
1. Use the **Summary** and **JSON** buttons to toggle between the policy summary and the JSON policy document.
1. Use the **Search** box to reduce the list of services and find a specific service.
1. The expanded view shows additional details of the **SummaryAllElements** policy.
The following policy summary table image shows the expanded **SummaryAllElements** policy on the policy details page.
![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-table-dialog.png)
In the preceding image, the policy summary is visible from within the **Policies** page:
1. For those services that IAM recognizes, it arranges services according to whether the policy allows or explicitly denies the use of the service. In this example, the policy includes a `Deny` statement for the Amazon S3 service and `Allow` statements for the Billing, CodeDeploy, and Amazon EC2 services.
1. **Service** – This column lists the services that are defined within the policy and provides details for each service. Each service name in the policy summary table is a link to the *service summary* table, which is explained in [Service summary (list of actions)](access_policies_understand-service-summary.md). In this example, permissions are defined for the Amazon S3, Billing, CodeDeploy, and Amazon EC2 services.
1. **Access level** – This column tells whether the actions in each access level (`List`, `Read`, `Write`, `Permission Management`, and `Tagging`) have `Full` or `Limited` permissions defined in the policy. For additional details and examples of the access level summary, see [Access levels in policy summaries](access_policies_understand-policy-summary-access-level-summaries.md).
+ **Full access** – This entry indicates that the service has access to all actions within all four of the access levels available for the service.
+ If the entry does not include **Full access**, then the service has access to some but not all of the actions for the service. The access is then defined by following descriptions for each of the access level classifications (`List`, `Read`, `Write`, `Permission Management`, and `Tagging`):
**Full**: The policy provides access to all actions within each access level classification listed. In this example, the policy provides access to all of the Billing `Read` actions.
**Limited**: The policy provides access to one or more but not all actions within each access level classification listed. In this example, the policy provides access to some of the Billing `Write` actions.
1. **Resource** – This column shows the resources that the policy specifies for each service.
+ **Multiple** – The policy includes more than one but not all of the resources within the service. In this example, access is explicitly denied to more than one Amazon S3 resource.
+ **All resources** – The policy is defined for all resources within the service. In this example, the policy allows the listed actions to be performed on all Billing resources.
+ Resource text – The policy includes one resource within the service. In this example, the listed actions are allowed on only the `DeploymentGroupName` CodeDeploy resource. Depending on the information that the service provides to IAM, you might see an ARN or you might see the defined resource type.
**Note**
This column can include a resource from a different service. If the policy statement that includes the resource does not include both actions and resources from the same service, then your policy includes mismatched resources. IAM does not warn you about mismatched resources when you create a policy, or when you view a policy in the policy summary. If this column includes a mismatched resource, then you should review your policy for errors. To better understand your policies, always test them with the [policy simulator](access_policies_testing-policies.md).
1. **Request condition** – This column indicates whether the services or actions associated with the resource are subject to conditions.
+ **None** – The policy includes no conditions for the service. In this example no conditions are applied to the denied actions in the Amazon S3 service.
+ Condition text – The policy includes one condition for the service. In this example, the listed Billing actions are allowed only if the IP address of the source matches `203.0.113.0/24`.
+ **Multiple** – The policy includes more than one condition for the service. To view each of the multiple conditions for the policy, choose **JSON** to view the policy document.
1. **Show remaining services** – Toggle this button to expand the table to include the services that are not defined by the policy. These services are *implicitly denied* (or denied by default) within this policy. However, a statement in another policy might still allow or explicitly deny using the service. The policy summary summarizes the permissions of a single policy. To learn about how the AWS service decides whether a given request should be allowed or denied, see [Policy evaluation logic](reference_policies_evaluation-logic.md).
When a policy or an element within the policy does not grant permissions, IAM provides additional warnings and information in the policy summary. The following policy summary table shows the expanded **Show remaining services** services on the **SummaryAllElements** policy details page with the possible warnings.
![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-table-showremaining-dialog.png)
In the preceding image, you can see all services that include defined actions, resources, or conditions with no permissions:
1. **Resource warnings** – For services that do not provide permissions for all of the included actions or resources, you see one of the following warnings in the **Resource** column of the table:
+ **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) No resources are defined.** – This means that the service has defined actions but no supported resources are included in the policy.
+ **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more actions do not have an applicable resource.** – This means that the service has defined actions, but that some of those actions don't have a supported resource.
+ **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more resources do not have an applicable action.** – This means that the service has defined resources, but that some of those resources don't have a supporting action.
If a service includes both actions that do not have an applicable resource and resources that do have an applicable resource, then only the **One or more resources do not have an applicable action.** warning is shown. This is because when you view the service summary for the service, resources that do not apply to any action are not shown. For the `ListAllMyBuckets` action, this policy includes the last warning because the action does not support resource-level permissions, and does not support the `s3:x-amz-acl` condition key. If you fix either the resource problem or the condition problem, the remaining issue appears in a detailed warning.
1. **Request condition warnings** – For services that do not provide permissions for all of the included conditions, you see one of the following warnings in the **Request condition** column of the table:
+ **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more actions do not have an applicable condition.** – This means that the service has defined actions, but that some of those actions don't have a supported condition.
+ **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more conditions do not have an applicable action.** – This means that the service has defined conditions, but that some of those conditions don't have a supporting action.
1. **Multiple \$1 ![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more actions do not have an applicable resource.** – The `Deny` statement for Amazon S3 includes more than one resource. It also includes more than one action, and some actions support the resources and some do not. To view this policy, see [**SummaryAllElements** JSON policy document](#policy-summary-example-json). In this case, the policy includes all Amazon S3 actions, and only the actions that can be performed on a bucket or bucket object are denied.
1. **![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) No resources are defined** – The service has defined actions, but no supported resources are included in the policy, and therefore the service provides no permissions. In this case, the policy includes CodeCommit actions but no CodeCommit resources.
1. **DeploymentGroupName \$1 string like \$1 All, region \$1 string like \$1 us-west-2 \$1 ![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more actions do not have an applicable resource.** – The service has a defined action, and at least one more action that does not have a supporting resource.
1. **None \$1 ![\[Warning hazard sign icon with yellow triangle background.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) One or more conditions do not have an applicable action.** – The service has at least one condition key that does not have a supporting action.
## **SummaryAllElements** JSON policy document
The **SummaryAllElements** policy is not intended for you to use to define permissions in your account. Rather, it is included to demonstrate the errors and warnings that you might encounter while viewing a policy summary.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"billing:Get*",
"payments:List*",
"payments:Update*",
"account:Get*",
"account:List*",
"cur:GetUsage*"
],
"Resource": [
"*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
},
{
"Effect": "Deny",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::customer",
"arn:aws:s3:::customer/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:GetConsoleScreenshots"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"codedploy:*",
"codecommit:*"
],
"Resource": [
"arn:aws:codedeploy:us-west-2:123456789012:deploymentgroup:*",
"arn:aws:codebuild:us-east-1:123456789012:project/my-demo-project"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:DeletObject",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket",
"arn:aws:s3:::amzn-s3-demo-bucket/*",
"arn:aws:autoscling:us-east-2:123456789012:autoscalgrp"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": [
"public-read"
],
"s3:prefix": [
"custom",
"other"
]
}
}
}
]
}
```
------
# View policy summaries
You can view the policy summaries for any policies that are attached to an IAM user or role. For managed policies, you can view policy summaries on the **Policies** page. If your policy does not include a policy summary, see [Missing policy summary](troubleshoot_policies.md#missing-policy-summary) to learn why.
## Viewing policy summaries from the **Policies** page
You can view the policy summary for managed policies on the **Policies** page.
**To view the policy summary from the **Policies** page**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, choose the name of the policy that you want to view.
1. On the **Policy details** page for the policy, view the **Permissions** tab to see the policy summary.
## Viewing a policy summary for a policy attached to a user
You can view the policy summary for any policies that are attached to an IAM user.
**To view the summary for a policy attached to a user**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Choose **Users** from the navigation pane.
1. In the list of users, choose the name of the user whose policy you want to view.
1. On the **Summary** page for the user, view the **Permissions** tab to see the list of policies that are attached to the user directly or from a group.
1. In the table of policies for the user, expand the row of the policy that you want to view.
## Viewing a policy summary for a policy attached to a role
You can view the policy summary for any policies that are attached to a role.
**To view the summary for a policy attached to a role**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the list of roles, choose the name of the role whose policy you want to view.
1. On the **Summary** page for the role, view the **Permissions** tab to see the list of policies that are attached to the role.
1. In the table of policies for the role, expand the row of the policy that you want to view.
## Editing policies to fix warnings
While viewing a policy summary, you might find a typo or notice that the policy does not provide the permissions that you expected. You cannot edit a policy summary directly. However, you can edit a customer managed policy using the visual policy editor, which catches many of the same errors and warnings that the policy summary reports. You can then view the changes in the policy summary to confirm that you fixed all of the issues. To learn how to edit an inline policy, see [Edit IAM policies](access_policies_manage-edit.md). You cannot edit AWS managed policies.
You can edit a policy for your policy summary using the **Visual** option.
**To edit a policy for your policy summary using the **Visual** option**
1. Open the policy summary as explained in the previous procedures.
1. Choose **Edit**.
If you are on the **Users** page and choose to edit a customer managed policy that is attached to that user, you are redirected to the **Policies** page. You can edit customer managed policies only on the **Policies** page.
1. Choose the **Visual** option to view the editable visual representation of your policy. IAM might restructure your policy to optimize it for the visual editor and to make it easier for you to find and fix any problems. The warnings and error messages on the page can guide you to fix any issues with your policy. For more information about how IAM restructures policies, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).
1. Edit your policy and choose **Next** to see your changes reflected in the policy summary. If you still see a problem, choose **Previous** to return to the editing screen.
1. Choose **Save changes** to save your changes.
You can edit a policy for your policy summary using the **JSON** option.
**To edit a policy for your policy summary using the **JSON** option**
1. Open the policy summary as explained in the previous procedures.
1. You can use the **Summary** and **JSON** buttons to compare the policy summary to the JSON policy document. You can use this information to determine which lines in the policy document you want to change.
1. Choose **Edit** and then choose the **JSON** option to edit the JSON policy document.
**Note**
You can switch between the **Visual** and **JSON** editor options any time. However, if you make changes or choose **Next** in the **Visual** editor option, IAM might restructure your policy to optimize it for the visual editor. For more information, see [Policy restructuring](troubleshoot_policies.md#troubleshoot_viseditor-restructure).
If you are on the **Users** page and choose to edit a customer managed policy that is attached to that user, you are redirected to the **Policies** page. You can edit customer managed policies only on the **Policies** page.
1. Edit your policy. Resolve any security warnings, errors, or general warnings generated during [policy validation](access_policies_policy-validator.md), and then choose **Next**. If you still see a problem, choose **Previous** to return to the editing screen.
1. Choose **Save changes** to save your changes.
# Access levels in policy summaries
## AWS access level summary
Policy summaries include an access level summary that describes the action permissions defined for each service that is mentioned in the policy. To learn about policy summaries, see [Policy summaries](access_policies_understand.md). Access level summaries indicate whether the actions in each access level (`List`, `Read`, `Tagging`, `Write`, and `Permissions management`) have `Full` or `Limited` permissions defined in the policy. To view the access level classification that is assigned to each action in a service, see [Actions, Resources, and Condition Keys for AWS Services](reference_policies_actions-resources-contextkeys.html).
The following example describes the access provided by a policy for the given services. For examples of full JSON policy documents and their related summaries, see [Examples of policy summaries](access_policies_policy-summary-examples.md).
****
| Service | Access level | This policy provides the following |
| --- | --- | --- |
| IAM | Full access | Access to all actions within the IAM service. |
| CloudWatch | Full: List | Access to all CloudWatch actions in the List access level, but no access to actions with the Read, Write, or Permissions management access level classification. |
| Data Pipeline | Limited: List, Read | Access to at least one but not all AWS Data Pipeline actions in the List and Read access level, but not the Write or Permissions management actions. |
| EC2 | Full: List, Read Limited: Write | Access to all Amazon EC2 List and Read actions and access to at least one but not all Amazon EC2 Write actions, but no access to actions with the Permissions management access level classification. |
| S3 | Limited: Read, Write, Permissions management | Access to at least one but not all Amazon S3 Read, Write and Permissions management actions. |
| codedploy | (empty) | Unknown access, because IAM does not recognize this service. |
| API Gateway | None | No access is defined in the policy. |
| CodeBuild | ![\[a white exclamation point on an orange triangle background\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/console-alert-icon.console.png) No actions are defined. | No access because no actions are defined for the service. To learn how to understand and troubleshoot this issue, see [My policy does not grant the expected permissions](troubleshoot_policies.md#policy-summary-not-grant-permissions). |
In a policy summary, **Full access** indicates that the policy provides access to all the actions within the service. Policies that provide access to some but not all actions within a service are further grouped according to the access level classification. This is indicated by one of the following access-level groupings:
+ **Full**: The policy provides access to all actions within the specified access level classification.
+ **Limited**: The policy provides access to one or more but not all actions within the specified access level classification.
+ **None**: The policy provides no access.
+ (empty): IAM does not recognize this service. If the service name includes a typo, then the policy provides no access to the service. If the service name is correct, then the service might not support policy summaries or might be in preview. In this case, the policy might provide access, but that access cannot be shown in the policy summary. To request policy summary support for a generally available (GA) service, see [Service does not support IAM policy summaries](troubleshoot_policies.md#unsupported-services-actions).
Access level summaries that include limited (partial) access to actions are grouped using the AWS access level classifications `List`, `Read`, `Tagging`, `Write`, or `Permissions management`.
## AWS access levels
AWS defines the following access level classifications for the actions in a service:
+ **List**: Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource. For example, the Amazon S3 action `ListBucket` has the **List** access level.
+ **Read**: Permission to read but not edit the contents and attributes of resources in the service. For example, the Amazon S3 actions `GetObject` and `GetBucketLocation` have the **Read** access level.
+ **Tagging**: Permission to perform actions that only change the state of resource tags. For example, the IAM actions `TagRole` and `UntagRole` have the **Tagging** access level because they allow only tagging or untagging a role. However, the `CreateRole` action allows tagging a role resource when you create that role. Because the action does not only add a tag, it has the `Write` access level.
+ **Write**: Permission to create, delete, or modify resources in the service. For example, the Amazon S3 actions `CreateBucket`, `DeleteBucket` and `PutObject` have the **Write** access level. `Write` actions might also allow modifying a resource tag. However, an action that allows only changes to tags has the `Tagging` access level.
+ **Permissions management**: Permissions management refers to actions that control access within AWS services, including IAM and non-IAM identity permissions, but excludes network-level access controls like security groups. For example, most IAM and AWS Organizations actions, as well as the Amazon S3 actions `PutBucketPolicy` and `DeleteBucketPolicy` have the **Permissions management** access level.
**Tip**
To improve the security of your AWS account, restrict or regularly monitor policies that include the **Permissions management** access level classification.
To view the access level classification for all of the actions in a service, see [Actions, Resources, and Condition Keys for AWS Services](reference_policies_actions-resources-contextkeys.html).
# Service summary (list of actions)
Policies are summarized in three tables: the [policy summary](access_policies_understand-policy-summary.md), the service summary, and the [action summary](access_policies_understand-action-summary.md). The *service summary* table includes a list of the actions and summaries of the permissions that are defined by the policy for the chosen service.
![\[Policy summaries diagram image that illustrates the 3 tables and their relationship\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_summaries-svc-sum.png)
You can view a service summary for each service listed in the policy summary that grants permissions. The table is grouped into **Uncategorized actions**, **Uncategorized resource types**, and access level sections. If the policy includes an action that IAM does not recognize, then the action is included in the **Uncategorized actions** section of the table. If IAM recognizes the action, then it is included under one of the access level (**List**, **Read**, **Write** and **Permissions management**) sections of the table. To view the access level classification that is assigned to each action in a service, see [Actions, Resources, and Condition Keys for AWS Services](reference_policies_actions-resources-contextkeys.html).
## Understanding the elements of a service summary
The example below is the service summary for Amazon S3 actions that are allowed from a policy summary. The actions for this service are grouped by access level. For example, 35 **Read** actions are defined out of the total 52 **Read** actions available for the service.
![\[Service summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-action-dialog.png)
The service summary page for a managed policy includes the following information:
1. If the policy does not grant permissions to all the actions, resources, and conditions defined for the service in the policy, then a warning banner appears at the top of the page. The service summary then includes details about the problem. To learn how policy summaries help you to understand and troubleshoot the permissions that your policy grants, see [My policy does not grant the expected permissions](troubleshoot_policies.md#policy-summary-not-grant-permissions).
1. Choose **JSON** to see additional details about the policy. You can do this to view all conditions that are applied to the actions. (If you are viewing the service summary for an inline policy that is attached directly to a user, you must close the service summary dialog box and return to the policy summary to access the JSON policy document.)
1. To view the summary for a specific action, type keywords into the **Search** box to reduce the list of available actions.
1. Next to the **Services** back arrow appears the name of the service (in this case **S3**). The service summary for this service includes the list of allowed or denied actions that are defined in the policy. If the service appears under **(Explicit deny)** on the **Permissions** tab, then the actions listed in the service summary table are explicitly denied. If the service appears under **Allow** on the **Permissions** tab, then the actions listed in the service summary table are allowed.
1. **Action** – This column lists the actions that are defined within the policy and provides the resources and conditions for each action. If the policy grants or denies permissions to the action, then the action name links to the *[action summary](access_policies_understand-action-summary.md)* table. The table groups these actions into at least one or up to five sections, depending on the level of access that the policy allows or denies. The sections are **List**, **Read**, **Write**, **Permission Management**, and **Tagging**. The count indicates the number of recognized actions that provide permissions within each access level. The total is the number of known actions for the service. In this example, 35 actions provide permissions out of 52 total known Amazon S3 **Read** actions. To view the access level classification that is assigned to each action in a service, see [Actions, Resources, and Condition Keys for AWS Services](reference_policies_actions-resources-contextkeys.html).
1. **Show remaining actions** – Toggle this button to expand or hide the table to include actions that are known but do not provide permissions for this service. Toggling the button also displays warnings for any elements that do not provide permissions.
1. **Resource** – This column shows the resources that the policy defines for the service. IAM does not check whether the resource applies to each action. In this example, actions in the Amazon S3 service are allowed on only the `developer_bucket` Amazon S3 bucket resource. Depending on the information that the service provides to IAM, you might see an ARN such as `arn:aws:s3:::developer_bucket/*`, or you might see the defined resource type, such as `BucketName = developer_bucket`.
**Note**
This column can include a resource from a different service. If the policy statement that includes the resource does not include both actions and resources from the same service, then your policy includes mismatched resources. IAM does not warn you about mismatched resources when you create a policy, or when you view a policy in the service summary. IAM also does not indicate whether the action applies to the resources, only whether the service matches. If this column includes a mismatched resource, then you should review your policy for errors. To better understand your policies, always test them with the [policy simulator](access_policies_testing-policies.md).
1. **Request condition** – This column tells whether the actions associated with the resource are subject to conditions. To learn more about those conditions, choose **JSON** to review the JSON policy document.
1. **(No access) **– This policy includes an action that does not provide permissions.
1. **Resource warning** – For actions with resources that do not provide full permissions, you see one of the following warnings:
+ **This action does not support resource-level permissions. This requires a wildcard (\$1) for the resource.** – This means that the policy includes resource-level permissions but must include `"Resource": ["*"]` to provide permissions for this action.
+ **This action does not have an applicable resource.** – This means that the action is included in the policy without a supported resource.
+ **This action does not have an applicable resource and condition.** – This means that the action is included in the policy without a supported resource and without a supported condition. In this case, there is also condition included in the policy for this service, but there are no conditions that apply to this action.
1. Actions that provide permissions include a link to the action summary.
# View service summaries
You can view a service summary for each service listed in the policy summary that grants permissions.
## Viewing service summaries from the **Policies** page
You can view the service summary for managed policies on the **Policies** page.
**To view the service summary for a managed policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, choose the name of the policy that you want to view.
1. On the **Policy details** page for the policy, view the **Permissions** tab to see the policy summary.
1. In the policy summary list of services, choose the name of the service that you want to view.
## Viewing a service summary for a policy attached to a user
You can view the service summary for any policies that are attached to an IAM user.
**To view the service summary for a policy attached to a user**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Users**.
1. In the list of users, choose the name of the user whose policy you want to view.
1. On the **Summary** page for the user, view the **Permissions** tab to see the list of policies that are attached to the user directly or from a group.
1. In the table of policies for the user, choose the name of the policy that you want to view.
If you are on the **Users** page and choose to view the service summary for a policy that is attached to that user, you are redirected to the **Policies** page. You can view service summaries only on the **Policies** page.
1. Choose **Summary**. In the policy summary list of services, choose the name of the service that you want to view.
**Note**
If the policy that you select is an inline policy that is attached directly to the user, then the service summary table appears. If the policy is an inline policy attached from a group, then you are taken to the JSON policy document for that group. If the policy is a managed policy, then you are taken to the service summary for that policy on the **Policies** page.
## Viewing a service summary for a policy attached to a role
You can view the policy summary for any policies that are attached to a role.
**To view the service summary for a policy attached to a role**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Choose **Roles** from the navigation pane.
1. In the list of roles, choose the name of the role whose policy you want to view.
1. On the **Summary** page for the role, view the **Permissions** tab to see the list of policies that are attached to the role.
1. In the table of policies for the role, choose the name of the policy that you want to view.
If you are on the **Roles** page and choose to view the service summary for a policy that is attached to that user, you are redirected to the **Policies** page. You can view service summaries only on the **Policies** page.
1. In the policy summary list of services, choose the name of the service that you want to view.
# Action summary (list of resources)
Policies are summarized in three tables: the [policy summary](access_policies_understand-policy-summary.md), the [service summary](access_policies_understand-service-summary.md), and the action summary. The *action summary* table includes a list of resources and the associated conditions that apply to the chosen action.
![\[policy summaries diagram that illustrates the 3 tables and their relationship.\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policy_summaries-action-sum.png)
To view an action summary for each action that grants permissions, choose the link in the service summary. The action summary table includes details about the resource, including its **Region** and **Account**. You can also view the conditions that apply to each resource. This shows you conditions that apply to some resources but not others.
## Understanding the elements of an action summary
The example below is the action summary for the `PutObject` (Write) action from the Amazon S3 service summary (see [Service summary (list of actions)](access_policies_understand-service-summary.md)). For this action, the policy defines multiple conditions on a single resource.
![\[Action summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-resource-dialog.png)
The action summary page includes the following information:
1. Choose **JSON** to see additional details about the policy, such as viewing the multiple conditions that are applied to the actions. (If you are viewing the action summary for an inline policy that is attached directly to a user, the steps differ. To access the JSON policy document in that case, you must close the action summary dialog box and return to the policy summary.)
1. To view the summary for a specific resource, type keywords into the **Search** box to reduce the list of available resources.
1. Next to the **Actions** back arrow appears the name of the service and action in the format `action name action in service` (in this case **PutObject action in S3**). The action summary for this service includes the list of resources that are defined in the policy.
1. **Resource** – This column lists the resources that the policy defines for the chosen service. In this example, the **PutObject** action is allowed on all object paths, but on only the `developer_bucket` Amazon S3 bucket resource. Depending on the information that the service provides to IAM, you might see an ARN such as `arn:aws:s3:::developer_bucket/*`, or you might see the defined resource type, such as `BucketName = developer_bucket, ObjectPath = All`.
1. **Region** – This column shows the Region in which the resource is defined. Resources can be defined for all Regions, or a single Region. They cannot exist in more than one specific Region.
+ **All regions** – The actions that are associated with the resource apply to all Regions. In this example, the action belongs to a global service, Amazon S3. Actions that belong to global services apply to all Regions.
+ Region text – The actions associated with the resource apply to one Region. For example, a policy can specify the `us-east-2` Region for a resource.
1. **Account** – This column indicates whether the services or actions associated with the resource apply to a specific account. Resources can exist in all accounts or a single account. They cannot exist in more than one specific account.
+ **All accounts** – The actions that are associated with the resource apply to all accounts. In this example, the action belongs to a global service, Amazon S3. Actions that belong to global services apply to all accounts.
+ **This account** – The actions that are associated with the resource apply only in the current account..
+ Account number – The actions that are associated with the resource apply to one account (one that you are not currently logged in to). For example, if a policy specifies the `123456789012` account for a resource, then the account number appears in the policy summary.
1. **Request condition** – This column shows whether the actions that are associated with the resource are subject to conditions. This example includes the `s3:x-amz-acl = public-read` condition. To learn more about those conditions, choose **JSON** to review the JSON policy document.
# View action summaries
You can view an action summary for each action listed in the policy summary that grants permissions.
## Viewing action summaries from the **Policies** page
You can view the action summary for managed policies.
**To view the action summary for a managed policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Policies**.
1. In the list of policies, choose the name of the policy that you want to view.
1. On the **Policy details** page for the policy, view the **Permissions** tab to see the policy summary.
1. In the policy summary list of services, choose the name of the service that you want to view.
1. In the service summary list of actions, choose the name of the action that you want to view.
## Viewing action summaries for a policy attached to a user
You can view the action summary for any policy that is attached to a user.
**To view the action summary for a policy attached to a user**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. Choose **Users** from the navigation pane.
1. In the list of users, choose the name of the user whose policy you want to view.
1. On the **Summary** page for the user, view the **Permissions** tab to see the list of policies that are attached to the user directly or from a group.
1. In the table of policies for the user, choose the name of the policy that you want to view.
If you are on the **Users** page and choose to view the service summary for a policy that is attached to that user, you are redirected to the **Policies** page. You can view service summaries only on the **Policies** page.
1. In the policy summary list of services, choose the name of the service that you want to view.
**Note**
If the policy that you select is an inline policy that is attached directly to the user, then the service summary table appears. If the policy is an inline policy attached from a group, then you are taken to the JSON policy document for that group. If the policy is a managed policy, then you are taken to the service summary for that policy on the **Policies** page.
1. In the service summary list of actions, choose the name of the action that you want to view.
## Viewing action summaries for a policy attached to a role
You can view the action summary for any policy that is attached to a role.
**To view the action summary for a policy attached to a role**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, choose **Roles**.
1. In the list of roles, choose the name of the role whose policy you want to view.
1. On the **Summary** page for the role, view the **Permissions** tab to see the list of policies that are attached to the role.
1. In the table of policies for the role, choose the name of the policy that you want to view.
If you are on the **Roles** page and choose to view the service summary for a policy that is attached to that user, you are redirected to the **Policies** page. You can view service summaries only on the **Policies** page.
1. In the policy summary list of services, choose the name of the service that you want to view.
1. In the service summary list of actions, choose the name of the action that you want to view.
# Examples of policy summaries
The following examples include JSON policies with their associated [policy summaries](access_policies_understand-policy-summary.md), the [service summaries](access_policies_understand-service-summary.md), and the [action summaries](access_policies_understand-action-summary.md) to help you understand the permissions given through a policy.
## Policy 1: DenyCustomerBucket
This policy demonstrates an allow and a deny for the same service.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "FullAccess",
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": ["*"]
},
{
"Sid": "DenyCustomerBucket",
"Action": ["s3:*"],
"Effect": "Deny",
"Resource": ["arn:aws:s3:::customer", "arn:aws:s3:::customer/*" ]
}
]
}
```
------
***DenyCustomerBucket** Policy Summary:*
![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-example1-dialog.png)
***DenyCustomerBucket S3 (Explicit deny)** Service Summary:*
![\[Service summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-action-example1-dialog.png)
***GetObject (Read)** Action Summary:*
![\[Action summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-resource-example1-dialog.png)
## Policy 2: DynamoDbRowCognitoID
This policy provides row-level access to Amazon DynamoDB based on the user's Amazon Cognito ID.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-1:123456789012:table/myDynamoTable"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
```
------
***DynamoDbRowCognitoID** Policy Summary:*
![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-example2-dialog.png)
***DynamoDbRowCognitoID DynamoDB (Allow)** Service Summary:*
![\[Service summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-action-example2-dialog.png)
***GetItem (List)** Action Summary:*
![\[Action summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-resource-example2-dialog.png)
## Policy 3: MultipleResourceCondition
This policy includes multiple resources and conditions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": ["arn:aws:s3:::Apple_bucket/*"],
"Condition": {"StringEquals": {"s3:x-amz-acl": ["public-read"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": ["arn:aws:s3:::Orange_bucket/*"],
"Condition": {"StringEquals": {
"s3:x-amz-acl": ["custom"],
"s3:x-amz-grant-full-control": ["1234"]
}}
}
]
}
```
------
***MultipleResourceCondition** Policy Summary:*
![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-example3-dialog.png)
***MultipleResourceCondition S3 (Allow)** Service Summary:*
![\[Service summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-action-example3-dialog.png)
***PutObject (Write)** Action Summary:*
![\[Action summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-resource-example3-dialog.png)
## Policy 4: EC2\$1troubleshoot
The following policy allows users to get a screenshot of a running Amazon EC2 instance, which can help with EC2 troubleshooting. This policy also permits viewing information about the items in the Amazon S3 developer bucket.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:GetConsoleScreenshot"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::developer"
]
}
]
}
```
------
***EC2\$1Troubleshoot** Policy Summary:*
![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-example4-dialog.png)
***EC2\$1Troubleshoot S3 (Allow)** Service Summary:*
![\[Service summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-action-example4-dialog.png)
***ListBucket (List)** Action Summary:*
![\[Action summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-resource-example4-dialog.png)
## Policy 5: CodeBuild\$1CodeCommit\$1CodeDeploy
This policy provides access to specific CodeBuild, CodeCommit, and CodeDeploy resources. Because these resources are specific to each service, they appear only with the matching service. If you include a resource that does not match any services in the `Action` element, then the resource appears in all action summaries.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Stmt1487980617000",
"Effect": "Allow",
"Action": [
"codebuild:*",
"codecommit:*",
"codedeploy:*"
],
"Resource": [
"arn:aws:codebuild:us-east-2:123456789012:project/my-demo-project",
"arn:aws:codecommit:us-east-2:123456789012:MyDemoRepo",
"arn:aws:codedeploy:us-east-2:123456789012:application:WordPress_App",
"arn:aws:codedeploy:us-east-2:123456789012:instance/AssetTag*"
]
}
]
}
```
------
***CodeBuild\$1CodeCommit\$1CodeDeploy** Policy Summary:*
![\[Policy summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-example6-dialog.png)
***CodeBuild\$1CodeCommit\$1CodeDeploy CodeBuild (Allow)** Service Summary:*
![\[Service summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-action-example6-dialog.png)
***CodeBuild\$1CodeCommit\$1CodeDeploy StartBuild (Write)** Action Summary:*
![\[Action summary dialog image\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/policies-summary-resource-example6-dialog.png)
# Permissions required to access IAM resources
*Resources* are objects within a service. IAM resources include groups, users, roles, and policies. If you are signed in with AWS account root user credentials, you have no restrictions on administering IAM credentials or IAM resources. However, IAM users must explicitly be given permissions to administer credentials or IAM resources. You can do this by attaching an identity-based policy to the user.
**Note**
Throughout the AWS documentation, when we refer to an IAM policy without mentioning any of the specific categories, we mean an identity-based, customer managed policy. For details about policy categories, see [Policies and permissions in AWS Identity and Access Management](access_policies.md).
## Permissions for administering IAM identities
The permissions that are required to administer IAM groups, users, roles, and credentials usually correspond to the API actions for the task. For example, in order to create IAM users, you must have the `iam:CreateUser` permission that has the corresponding API command: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html). To allow an IAM user to create other IAM users, you could attach an IAM policy like the following one to that user:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:CreateUser",
"Resource": "*"
}
}
```
------
In a policy, the value of the `Resource` element depends on the action and what resources the action can affect. In the preceding example, the policy allows a user to create any user (`*` is a wildcard that matches all strings). In contrast, a policy that allows users to change only their own access keys (API actions [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html) and [https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html)) typically has a `Resource` element. In this case the ARN includes a variable (`${aws:username}`) that resolves to the current user's name, as in the following example:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ListUsersForConsole",
"Effect": "Allow",
"Action": "iam:ListUsers",
"Resource": "arn:aws:iam::*:*"
},
{
"Sid": "ViewAndUpdateAccessKeys",
"Effect": "Allow",
"Action": [
"iam:UpdateAccessKey",
"iam:CreateAccessKey",
"iam:ListAccessKeys"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
```
------
In the previous example, `${aws:username}` is a variable that resolves to the user name of the current user. For more information about policy variables, see [IAM policy elements: Variables and tags](reference_policies_variables.md).
Using a wildcard character (`*`) in the action name often makes it easier to grant permissions for all the actions related to a specific task. For example, to allow users to perform any IAM action, you can use `iam:*` for the action. To allow users to perform any action related just to access keys, you can use `iam:*AccessKey*` in the `Action` element of a policy statement. This gives the user permission to perform the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccessKey.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteAccessKey.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccessKeyLastUsed.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccessKeyLastUsed.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAccessKeys.html), and [https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html) actions. (If an action is added to IAM in the future that has "AccessKey" in the name, using `iam:*AccessKey*` for the `Action` element will also give the user permission to that new action.) The following example shows a policy that allows users to perform all actions pertaining to their own access keys (replace `account-id` with your AWS account ID):
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:*AccessKey*",
"Resource": "arn:aws:iam::111122223333:user/${aws:username}"
}
}
```
------
Some tasks, such as deleting a group, involve multiple actions: You must first remove users from the group, then detach or delete the group's policies, and then actually delete the group. If you want a user to be able to delete a group, you must be sure to give the user permissions to perform all of the related actions.
## Permissions for working in the AWS Management Console
The preceding examples show policies that allow a user to perform the actions with the [AWS CLI](http://aws.amazon.com/cli/) or the [AWS SDKs](http://aws.amazon.com/tools/).
As users work with the console, the console issues requests to IAM to list groups, users, roles, and policies, and to get the policies associated with a group, user, or role. The console also issues requests to get AWS account information and information about the principal. The principal is the user making requests in the console.
In general, to perform an action, you must have only the matching action included in a policy. To create a user, you need permission to call the `CreateUser` action. Often, when you use the console to perform an action, you must have permissions to display, list, get, or otherwise view resources in the console. This is necessary so that you can navigate through the console to make the specified action. For example, if user Jorge wants to use the console to change his own access keys, he goes to the IAM console and chooses **Users**. This action causes the console to make a [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUsers.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUsers.html) request. If Jorge doesn't have permission for the `iam:ListUsers` action, the console is denied access when it tries to list users. As a result, Jorge can't get to his own name and to his own access keys, even if he has permissions for the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateAccessKey.html) and [https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateAccessKey.html) actions.
If you want to give users permissions to administer groups, users, roles, policies, and credentials with the AWS Management Console, you need to include permissions for the actions that the console performs. For some examples of policies that you can use to grant a user for these permissions, see [Example policies for administering IAM resources](id_credentials_delegate-permissions_examples.md).
## Grant permissions across AWS accounts
You can directly grant IAM users in your own account access to your resources. If users from another account need access to your resources, you can create an IAM role, which is an entity that includes permissions but that isn't associated with a specific user. Users from other accounts can then use the role and access resources according to the permissions you've assigned to the role. For more information, see [Access for an IAM user in another AWS account that you own](id_roles_common-scenarios_aws-accounts.md).
**Note**
Some services support resource-based policies as described in [Identity-based policies and resource-based policies](access_policies_identity-vs-resource.md) (such as Amazon S3, Amazon SNS, and Amazon SQS). For those services, an alternative to using roles is to attach a policy to the resource (bucket, topic, or queue) that you want to share. The resource-based policy can specify the AWS account that has permissions to access the resource.
## Permissions for one service to access another
Many AWS services access other AWS services. For example, several AWS services—including Amazon EMR, Elastic Load Balancing, and Amazon EC2 Auto Scaling—manage Amazon EC2 instances. Other AWS services make use of Amazon S3 buckets, Amazon SNS topics, Amazon SQS queues, and so on.
The scenario for managing permissions in these cases varies by service. Here are some examples of how permissions are handled for different services:
+ In Amazon EC2 Auto Scaling, users must have permission to use Auto Scaling, but don't need to be explicitly granted permission to manage Amazon EC2 instances.
+ In AWS Data Pipeline, an IAM role determines what a pipeline can do; users need permission to assume the role. (For details, see [ Granting Permissions to Pipelines with IAM](https://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-iam-roles.html) in the *AWS Data Pipeline Developer Guide*.)
For details about how to configure permissions properly so that an AWS service is able to accomplish the tasks you intend, refer to the documentation for the service you are calling. To learn how to create a role for a service, see [Create a role to delegate permissions to an AWS service](id_roles_create_for-service.md).
**Configuring a service with an IAM role to work on your behalf**
When you want to configure an AWS service to work on your behalf, you typically provide the ARN for an IAM role that defines what the service is allowed to do. AWS checks to ensure that you have permissions to pass a role to a service. For more information, see [Grant a user permissions to pass a role to an AWS service](id_roles_use_passrole.md).
## Required actions
Actions are the things that you can do to a resource, such as viewing, creating, editing, and deleting that resource. Actions are defined by each AWS service.
To allow someone to perform an action, you must include the necessary actions in a policy that applies to the calling identity or the affected resource. In general, to provide the permission required to perform an action, you must include that action in your policy. For example, to create a user, you need add the CreateUser action to your policy.
In some cases, an action might require that you include additional related actions in your policy. For example, to provide permission for someone to create a directory in AWS Directory Service using the `ds:CreateDirectory` operation, you must include the following actions in their policy:
+ `ds:CreateDirectory`
+ `ec2:DescribeSubnets`
+ `ec2:DescribeVpcs`
+ `ec2:CreateSecurityGroup`
+ `ec2:CreateNetworkInterface`
+ `ec2:DescribeNetworkInterfaces`
+ `ec2:AuthorizeSecurityGroupIngress`
+ `ec2:AuthorizeSecurityGroupEgress`
When you create or edit a policy using the visual editor, you receive warnings and prompts to help you choose all of the required actions for your policy.
For more information about the permissions required to create a directory in AWS Directory Service, see [Example 2: Allow a User to Create a Directory](https://docs.aws.amazon.com/directoryservice/latest/admin-guide/IAM_Auth_Access_IdentityBased.html#IAMPolicyExamples_DS_create_directory).
# Example policies for administering IAM resources
Following are examples of IAM policies that allow users to perform tasks associated with managing IAM users, groups, and credentials. This includes policies that permit users manage their own passwords, access keys, and multi-factor authentication (MFA) devices.
For examples of policies that let users perform tasks with other AWS services, like Amazon S3, Amazon EC2, and DynamoDB, see [Example IAM identity-based policies](access_policies_examples.md).
**Topics**
+ [Allow a user to list the account's groups, users, policies, and more for reporting purposes](#iampolicy-example-userlistall)
+ [Allow a user to manage a group's membership](#iampolicy-example-usermanagegroups)
+ [Allow a user to manage IAM users](#creds-policies-users)
+ [Allow users to set account password policy](#creds-policies-set-password-policy)
+ [Allow users to generate and retrieve IAM credential reports](#iampolicy-generate-credential-report)
+ [Allow all IAM actions (admin access)](#creds-policies-all-iam)
## Allow a user to list the account's groups, users, policies, and more for reporting purposes
The following policy allows the user to call any IAM action that starts with the string `Get` or `List`, and to generate reports. To view the example policy, see [IAM: Allows read-only access to the IAM console](reference_policies_examples_iam_read-only-console.md).
## Allow a user to manage a group's membership
The following policy allows the user to update the membership of the group called *MarketingGroup*. To view the example policy, see [IAM: Allows managing a group's membership programmatically and in the console](reference_policies_examples_iam_manage-group-membership.md).
## Allow a user to manage IAM users
The following policy allows a user to perform all the tasks associated with managing IAM users but not to perform actions on other entities, such as creating groups or policies. Allowed actions include these:
+ Creating the user (the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateUser.html) action).
+ Deleting the user. This task requires permissions to perform all of the following actions: [https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSigningCertificate.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteSigningCertificate.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteLoginProfile.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteLoginProfile.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_RemoveUserFromGroup.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_RemoveUserFromGroup.html), and [https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUser.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUser.html).
+ Listing users in the account and in groups (the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUser.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetUser.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUsers.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUsers.html) and [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroupsForUser.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListGroupsForUser.html) actions).
+ Listing and removing policies for the user (the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedUserPolicies.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListAttachedUserPolicies.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DetachUserPolicy.html), [https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteUserPolicy.html) actions)
+ Renaming or changing the path for the user (the [https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateUser.html](https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateUser.html) action). The `Resource` element must include an ARN that covers both the source path and the target path. For more information on paths, see [Friendly names and paths](reference_identifiers.md#identifiers-friendly-names).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToPerformUserActions",
"Effect": "Allow",
"Action": [
"iam:ListPolicies",
"iam:GetPolicy",
"iam:UpdateUser",
"iam:AttachUserPolicy",
"iam:ListEntitiesForPolicy",
"iam:DeleteUserPolicy",
"iam:DeleteUser",
"iam:ListUserPolicies",
"iam:CreateUser",
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:PutUserPolicy",
"iam:ListAttachedUserPolicies",
"iam:ListUsers",
"iam:GetUser",
"iam:DetachUserPolicy"
],
"Resource": "*"
},
{
"Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard",
"Effect": "Allow",
"Action": [
"iam:GetAccount*",
"iam:ListAccount*"
],
"Resource": "*"
}
]
}
```
------
A number of the permissions included in the preceding policy allow the user to perform tasks in the AWS Management Console. Users who perform user-related tasks from the [AWS CLI](http://aws.amazon.com/cli/), the [AWS SDKs](http://aws.amazon.com/tools/), or the IAM HTTP query API only might not need certain permissions. For example, if users already know the ARN of policies to detach from a user, they do not need the `iam:ListAttachedUserPolicies` permission. The exact list of permissions that a user requires depends on the tasks that the user must perform while managing other users.
The following permissions in the policy allow access to user tasks via the AWS Management Console:
+ `iam:GetAccount*`
+ `iam:ListAccount*`
## Allow users to set account password policy
You might give some users permissions to get and update the [password policy](id_credentials_passwords_account-policy.md) of your AWS account. To view the example policy, see [IAM: Allows setting the account password requirements programmatically and in the console](reference_policies_examples_iam_set-account-pass-policy.md).
## Allow users to generate and retrieve IAM credential reports
You can give users permission to generate and download a report that lists all users in your AWS account. The report also lists the status of various user credentials, including passwords, access keys, MFA devices, and signing certificates. For more information about credential reports, see [Generate credential reports for your AWS account](id_credentials_getting-report.md). To view the example policy, see [IAM: Generate and retrieve IAM credential reports](reference_policies_examples_iam-credential-report.md).
## Allow all IAM actions (admin access)
You might give some users administrative permissions to perform all actions in IAM, including managing passwords, access keys, MFA devices, and user certificates. The following example policy grants these permissions.
**Warning**
When you give a user full access to IAM, there is no limit to the permissions that user can grant to him/herself or others. The user can create new IAM entities (users or roles) and grant those entities full access to all resources in your AWS account. When you give a user full access to IAM, you are effectively giving them full access to all resources in your AWS account. This includes access to delete all resources. You should grant these permissions to only trusted administrators, and you should enforce multi-factor authentication (MFA) for these administrators.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}
}
```
------
# IAM temporary delegation
## Overview
Temporary delegation accelerates onboarding and simplifies management for products from Amazon and AWS Partners that integrate with your AWS accounts. Instead of manually configuring multiple AWS services, you can delegate temporary, limited permissions that allow the product provider to complete setup tasks on your behalf in minutes through automated deployment workflows. You maintain administrative control with approval requirements and permission boundaries, while product provider permissions automatically expire after the approved duration with no manual cleanup required. If the product requires persistent access for ongoing operations, the provider can use temporary delegation to create an IAM role with a permission boundary that defines the role's maximum permissions. All product provider activity is tracked through AWS CloudTrail for compliance and security monitoring.
**Note**
Temporary delegation requests can only be created by Amazon products and qualified AWS Partners that have completed the feature onboarding process. Customers review and approve these requests but cannot create them directly. If you are an AWS Partner looking to integrate IAM temporary delegation into your product, see the [Partner Integration Guide](access_policies-temporary-delegation-partner-guide.md) for onboarding and integration instructions.
## How temporary delegation works
Temporary delegation enables Amazon and AWS Partners to request temporary, limited access to your account. Upon your approval, they can use delegated permissions to take actions on your behalf. Delegation requests define specific permissions to AWS services and actions that the product provider needs to deploy or configure resources in your AWS account. These permissions are only available for a limited time and automatically expire after the duration specified in the request.
**Note**
The maximum duration for delegated access is 12 hours. However, root users can only approve delegation requests with a duration of 4 hours or less. If a request specifies more than 4 hours, you must use a non-root identity to approve the request. For details, see [Permission simulation beta capability](temporary-delegation-initiate-request.md#temporary-delegation-permission-simulation).
For ongoing tasks, such as reading from an Amazon S3 bucket, delegation requests can include the creation of an IAM role that allows continued access to resources and actions after the temporary access expires. Product providers must attach a permission boundary to any IAM role created through temporary delegation. Permission boundaries limit a role's maximum permissions but do not grant permissions on their own. You can review the permission boundary as part of the request before approving it. For details, see [Permissions boundaries](access_policies_boundaries.md).
The process works as follows:
1. You log in to an Amazon or AWS Partner product to integrate it with your AWS environment.
1. The product provider initiates a delegation request on your behalf and redirects you to the AWS Management Console.
1. You review the requested permissions and determine whether to approve, deny, or forward the request to your administrator.
1. Once you or your administrator approves the request, the product provider can obtain approver's temporary credentials to perform the required tasks.
1. Product provider access automatically expires after the specified time period. However, any IAM role created through the temporary delegation request persists beyond this period, allowing the product provider to continue accessing resources and actions for ongoing management tasks.
![\[alt text not found\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/delegation-flow.png)
**Note**
You can only delegate permissions to a product provider if you have permissions to the services and actions included in the temporary delegation request. If you don't have access to the requested services and actions, the product provider does not receive these permissions when you approve the request.
If the permission check shows it is likely to succeed, you can approve the temporary delegation request and continue with the workflow.
If the permission check shows that you may not have sufficient permissions, forward the request to your administrator for approval. We recommend notifying your administrator about this request using your preferred method such as an email or a ticket.
Once your administrator approves the request, what happens next depends on the product provider's configuration:
+ If the product provider requested immediate access, they automatically receive temporary permissions and the access duration begins.
+ If the product provider requested release by the owner (initial recipient), you must return to the request to explicitly share temporary account access before the access duration begins. Product providers typically use this option when they need additional input from you, such as resource selection or configuration details, to complete the required task.
# Initiate a temporary delegation request
You can initiate a temporary delegation request only from supported Amazon or AWS Partner products. During a workflow that supports temporary delegation, you will be prompted to grant the product provider temporary, limited permissions to configure required AWS resources in your account. This automated approach provides a more streamlined experience by eliminating the need for you to configure these resources manually.
You can review delegation request details such as the specific IAM roles, policies, and AWS services the product provider needs before granting access. You can either approve the request yourself if you have sufficient permissions, or forward the request to your account administrator for approval. All product provider access is time-bounded and can be monitored and revoked as needed.
**To initiate a temporary delegation request**
1. Navigate to the console of a supported product from Amazon or AWS Partners that requires integration with your AWS account.
1. Select *Deploy with IAM temporary delegation*. Note that the option name may vary across supported products. Refer to the documentation of the product provider for details.
**Note**
If you are not already signed in to the AWS Management Console, a new window opens to the AWS sign-in page. We recommend that you sign in to your AWS account before initiating the temporary delegation request from the product console. For more information about how to sign in based on your user type and the AWS resources that you want to access, see the [AWS Sign-In User Guide](docs---aws.amazon.com.rproxy.goskope.comsignin/latest/userguide/what-is-sign-in.html).
1. Review the request details to confirm the product provider's product name and AWS account. You can also review the AWS identity that the product provider will use to perform actions on your behalf.
1. Review the *Access details* for the permissions that will be temporarily delegated by approving this request.
+ The *Permissions summary* section provides a high-level overview generated by AI that can help you understand what categories of AWS services can be accessed and what types of actions can be performed in each service.
+ Choose *View JSON* to review specific permissions the product provider needs to deploy in your AWS account, including access scope and resource limitations.
+ If the product provider creates an IAM role as part of a temporary delegation request, a permission boundary must be attached to the role. These IAM roles have permissions that continue to allow access to resources and actions after the requested access duration expires. Choose *View details* to review the permission boundary, which defines the maximum permissions that the role can have. The product provider will apply additional policies to the role during creation that define its actual permissions. These policies may appear more narrowly focused, or broader, than the boundary depending on how the product provider defines them. However, the permission boundary guarantees that the role's effective permissions will never exceed what you see during request approval, regardless of what policies are attached to the role. For more information, see [Permissions boundaries](access_policies_boundaries.md).
1. Review the permission simulation results. The permission simulation capability automatically evaluates your identity's permissions against those included in the request. Based on this analysis, a recommendation is displayed indicating whether to approve the request with your current identity or forward the request to an administrator. For details, see [Permission simulation beta capability ](#temporary-delegation-permission-simulation).
1. In the dialog, select how you would like to proceed.
+ Select *Allow access* when your identity has sufficient permissions to allow the product provider to perform onboarding procedures on your behalf. When you select this option, the product provider's access duration starts once you provide access.
+ Select *Request approval* if your identity doesn't have sufficient permissions to allow the product provider to perform onboarding procedures on your behalf. Then, choose *Create approval request*. When you select this option, a temporary delegation request link is created that you can share with your account administrator. Your administrator can access the AWS Management Console or use the access link to Review Temporary delegation requests to approve the request and share temporary access with the requestor.
**Note**
Granting product provider access requires two actions: accepting the delegation request (`AcceptDelegationRequest`) and releasing the exchange token (`SendDelegatedToken`). The AWS Management Console performs both steps automatically when you approve a request. If you use the AWS CLI or API, you must execute both steps separately.
## Permission simulation capability -beta
When you receive a temporary delegation request, you can either approve it yourself or forward it to your account administrator for approval. You can only delegate permissions to a product provider if you have permissions to the services and actions included in the temporary delegation request. If you don't have access to the requested services and actions, the product provider won't receive those permissions even if they're included in the request.
For example, a temporary delegation request requires the ability to create an Amazon S3 bucket, start and stop instances in Amazon EC2, and assume an IAM role. The identity that approves the request can start and stop instances in Amazon EC2, and assume an IAM role, but does not have permission to create an Amazon S3 bucket. When this identity approves the request, the product provider is not able to create an Amazon S3 bucket even though these permissions were included in the temporary delegation request.
Since you can only delegate permissions that you already possess, it's crucial to evaluate whether you have the requested permissions before approving. The permission simulation beta capability helps with this evaluation by comparing your permissions against those included in the request. The assessment indicates whether you can approve the request with your current identity or need to forward it to an administrator. If the analysis cannot validate that you have sufficient permissions, forward the request to an administrator for review. This assessment is based on simulated permission analysis and may differ from your live AWS environment, so review requested permissions carefully before proceeding.
## Next steps
After you initiate a temporary delegation request, you can manage and monitor the request through its lifecycle. The following procedures help you track, approve, and control temporary access:
+ [Review Temporary delegation requests](temporary-delegation-review-requests.md) – Monitor the status of your access requests, and view detailed information about requests to approve or deny temporary delegation requests.
+ [Revoke temporary delegation access](temporary-delegation-revoke-access.md) – Immediately terminate active temporary delegation sessions before they expire naturally.
# Review Temporary delegation requests
After initiating a temporary delegation request, you can monitor, approve, and reject requests in the IAM console. The Temporary delegation requests page provides a centralized view of all requests, including those that are pending approval, completed, or rejected. As an administrator, you can review these requests to grant product providers access to AWS resources or reject them based on your organization's security policies, business requirements, or compliance standards. This visibility helps you track the lifecycle of product provider access and maintain oversight of temporary permissions.
**Note**
You must have the iam:AcceptDelegationRequest permission to approve temporary delegation requests.
**To approve a temporary delegation request**
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
1. In the navigation pane on the left, choose *Temporary delegation requests*.
1. The main page displays a list of your temporary delegation requests with the following information:
+ *Request ID* – Unique identifier for the request
+ *Status* – Current status (Pending, Approved, Rejected, Shared, Expired)
+ *Requestor* - Product provider associated with the request
+ *Initiated by* - IAM principal in the account who initiated the request for the product provider
+ *Request created*– When the request was submitted
+ *Request expires* – When the request expired or will expire
1. (Optional) Use the filter options to view requests by status:
+ *All requests* – View all your requests regardless of status
+ *Pending* – View requests awaiting administrator approval
+ *Approved* – View approved requests
+ *Shared* – View requests for which access has been shared
+ *Rejected* – View rejected requests with rejection reasons
1. To view detailed information about a specific request or to review a pending request for approval, choose the request ID.
1. Review the detailed request information:
+ Product provider information
+ Request reason and justification
+ Requested duration
+ Requested AWS permissions
1. If you are an administrator reviewing a pending request, choose one of the following options:
+ To approve the request, choose *Approve*. In the approval dialog, you can view the results of the permission simulation. For more information, see [Permission simulation beta capability](temporary-delegation-initiate-request.md#temporary-delegation-permission-simulation). After confirming access duration and your AWS identity, choose *Approve* to grant access. If the product provider requested immediate access, they automatically receive temporary permissions and the access duration begins. Otherwise, notify the person who initiated the request to release access to the product provider.
+ To reject the request, choose *Reject*.
+ In the rejection dialog, provide a clear reason for the rejection to help the requester understand why their request was denied.
+ Choose *Reject* to deny access.
1. The request list automatically refreshes to show the most current status information. You can also manually refresh the page to check for status updates.
# Revoke Temporary delegation access
Although product provider access sessions are designed to expire automatically after their approved duration, you may need to terminate access immediately in certain situations. Revoking active product provider access provides an emergency control mechanism when security concerns arise, when the product provider's work is completed early, or when business requirements change. Both request initiators and administrators can revoke access to maintain security and operational control.
**To revoke temporary delegation access**
1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
1. In the navigation pane on the left, choose *Temporary delegation requests*.
1. Locate the request ID for the access session you want to revoke.
1. Choose *Actions* and then choose *Revoke access*.
1. In the dialog, choose *Revoke access* to confirm that you want to immediately terminate the access session.
After revoking access, the product provider will no longer be able to access your AWS resources. The revocation is logged in AWS CloudTrail for audit purposes.
**Important**
Revoking access immediately terminates the product provider access session. Any ongoing work or processes using the access will be interrupted. Ensure that revocation won't disrupt critical operations.
**Note**
You cannot revoke access for requests that were approved using a root user. AWS recommends that you avoid using a root user to approve delegation requests. Use an IAM role with appropriate permissions instead.
## Managing Permissions for Delegation Requests
Administrators can grant IAM principals permissions to manage delegation requests from product providers. This is useful when you want to delegate approval authority to specific users or teams in your organization, or when you need to control who can perform specific actions on delegation requests.
The following IAM permissions are available for managing delegation requests:
| Permission | Description |
| --- | --- |
| iam:AssociateDelegationRequest | Associate an unassigned delegation request with your AWS account |
| iam:GetDelegationRequest | View details of a delegation request |
| iam:UpdateDelegationRequest | Forward a delegation request to an administrator for approval |
| iam:AcceptDelegationRequest | Approve a delegation request |
| iam:SendDelegationToken | Release the exchange token to the product provider after approval |
| iam:RejectDelegationRequest | Reject a delegation request |
| iam:ListDelegationRequests | List delegation requests for your account |
**Note**
By default, IAM principals who initiate a delegation request are automatically granted permissions to manage that specific request. They can associate it with their account, view request details, reject a request, forward it to an administrator for approval, release the exchange token to the product provider after admin approval, and list delegation requests that they own.
# Notifications
IAM temporary delegation integrates with AWS User Notifications to help you stay informed about delegation request state changes. Notifications are particularly useful for administrators who need to review and approve delegation requests.
With AWS User Notifications, you can configure alerts to be delivered through multiple channels, including email, Amazon Simple Notification Service (SNS), AWS Chatbot for Slack or Microsoft Teams, and AWS Console Mobile Application. This ensures that the right people are notified at the right time, enabling faster response to pending approvals or awareness of access changes. You can also customize which events trigger notifications based on your organization's needs and security requirements.
## Available Notification Events
You can subscribe to receive notifications for the following IAM temporary delegation events:
+ IAM Temporary Delegation Request Created
+ IAM Temporary Delegation Request Assigned
+ IAM Temporary Delegation Request Pending Approval
+ IAM Temporary Delegation Request Rejected
+ IAM Temporary Delegation Request Accepted
+ IAM Temporary Delegation Request Finalized
+ IAM Temporary Delegation Request Expired
## Configuring Notifications
To configure notifications for IAM temporary delegation events:
1. Open the AWS User Notifications console
1. Create or update a notification configuration
1. Select AWS IAM as the service
1. Choose which delegation request events you want to be notified about
1. Configure your delivery channels (email, AWS Chatbot, etc.)
For detailed instructions on configuring AWS User Notifications, including setting up delivery channels and managing notification rules, see the AWS User Notifications documentation.
# CloudTrail
All actions performed by product providers using temporary delegated access are automatically logged in AWS CloudTrail. This provides complete visibility and auditability of product provider activity in your AWS account. You can identify which actions were taken by product providers, when they occurred, and which product provider account performed them.
To help you distinguish between actions taken by your own IAM principals and those taken by product providers with delegated access, CloudTrail events include a new field called `invokedByDelegate` under the `userIdentity` element. This field contains the AWS account ID of the product provider, making it easy to filter and audit all delegated actions.
## CloudTrail Event Structure
The following example shows a CloudTrail event for an action performed by a product provider using temporary delegated access:
```
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:Role-Session-Name",
"arn": "arn:aws:sts::111122223333:assumed-role/Role-Name/Role-Session-Name",
"accountId": "111122223333",
"accessKeyId": "[REDACTED:AWS_ACCESS_KEY]",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::111122223333:role/Admin",
"accountId": "111122223333",
"userName": "Admin"
},
"attributes": {
"creationDate": "2024-09-09T17:50:16Z",
"mfaAuthenticated": "false"
}
},
"invokedByDelegate": {
"accountId": "444455556666"
}
},
"eventTime": "2024-09-09T17:51:44Z",
"eventSource": "iam.amazonaws.com",
"eventName": "GetUserPolicy",
"awsRegion": "us-east-1",
"requestParameters": {
"userName": "ExampleIAMUserName",
"policyName": "ExamplePolicyName"
},
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
```
The `invokedByDelegate` field contains the AWS account ID of the product provider who performed the action using delegated access. In this example, account 444455556666 (the product provider) performed an action in account 111122223333 (the customer account).
# IAM temporary delegation for AWS Partners
## Overview
IAM temporary delegation enables AWS customers to seamlessly onboard and/or integrate AWS Partner products into their AWS environment through interactive, guided workflows. Customers can grant AWS Partners limited, temporary access to configure required AWS services, reducing onboarding friction and accelerating time to value.
IAM temporary delegation enables partners to:
+ Streamline customer onboarding with automated resource provisioning
+ Reduce integration complexity by eliminating manual configuration steps
+ Build trust through transparent, customer-approved permissions
+ Enable ongoing operations with long-term access patterns using permission boundaries
## How it works
1. *Partner creates a delegation request* - Partners create a request specifying what permissions they need and for how long
1. *Customer reviews in AWS Console* - Customer sees exactly what permissions partner is requesting and why
1. *Customer approves* - Customer approves the request and releases an exchange token. The token is sent to partner on this specified SNS topic.
1. *Partner receives temporary credentials* - Partners exchange the token for temporary AWS credentials
1. *Partner configures resources* - Partners use the credentials to set up required resources in the customer's account
## Partner qualification
To qualify for temporary delegation integration, a partner must meet the following requirements:
+ *ISV Accelerate participation* – You must be enrolled in the [ISV Accelerate (ISVA)](https://aws.amazon.com/partners/programs/isv-accelerate/) program.
+ *AWS Marketplace listing* – Your product must be listed in the AWS Marketplace with a "Deployed on AWS" badge.
## Onboarding process
Complete the following steps to integrate temporary delegation into your product:
1. *Step 1: Review requirements*
Review this documentation to understand the qualification requirements and complete the partner questionnaire below.
1. *Step 2: Submit your onboarding request*
Send an email to aws-iam-partner-onboarding@amazon.com or contact your AWS representative. Include your completed partner questionnaire with all required fields from the table below.
1. *Step 3: AWS validation and review*
AWS will:
+ Validate that you meet the qualification criteria
+ Review your policy templates and permission boundaries
+ Provide feedback on your submitted artifacts
1. *Step 4: Refine your policies*
Respond to AWS feedback and submit updated policy templates or permission boundaries as needed.
1. *Step 5: Complete registration*
Once approved, AWS will:
+ Enable API access for your specified accounts
+ Share ARNs for your policy template and permissions boundary (if applicable)
You will receive confirmation when onboarding is complete. You can then access temporary delegation APIs, CreateDelegationRequest and GetDelegatedAccessToken from your registered accounts and begin integrating delegation request workflows into your product.
## Partner questionnaire
The following table lists the information required for partner onboarding:
| Information | Description | Required |
| --- | --- | --- |
| Partner Central AccountID | Account ID of your registered AWS account on [AWS Partner Central](https://partnercentral.awspartner.com/partnercentral2/s/login). | Yes |
| PartnerId | Partner ID provided by [AWS Partner Central](https://partnercentral.awspartner.com/partnercentral2/s/login). | No |
| AWS Marketplace Product Id | Product ID for your product provided by [AWS Partner Central](https://partnercentral.awspartner.com/partnercentral2/s/login). | Yes |
| AWS accountIDs | The list of your AWS Account IDs that you want to use to call temporary delegation APIs. This should include both your production and non-production/test accounts. | Yes |
| Partner name | This name is displayed to customers in the AWS Management Console when they review your temporary delegation request. | Yes |
| Contact email(s) | One or more email addresses that we can use to contact you about your integration. | Yes |
| Requestor Domain | Your domain (for example, www.example.com) | Yes |
| Integration description | Brief description of the use case that you want to address using this feature. You can include reference links to your documentation or other public material. | Yes |
| Architecture diagram | Architecture diagram illustrating your integration use case(s). | No |
| Policy template | You must register at least one policy template for this feature. The policy template defines the temporary permissions you want to request in customers' AWS accounts. For more information, see Policy template section. | Yes |
| Policy template name | Name of the policy template you want to register. | Yes |
| Permissions Boundary | If you want to create IAM roles in customers' accounts using temporary permissions, you must register a permission boundary with IAM. Permission boundaries will be attached to the IAM roles that you create to limit the maximum permissions on the role. You can use selected AWS managed policies as a permission boundary or register a new custom permission boundary (JSON). For more information, see Permissions Boundary section. | No |
| Permission Boundary Name | The name of your permission boundary. The format is: arn:aws:iam::partner:policy/permission\$1boundary//\$1 The policy name must include the creation date as a suffix. The name cannot be updated once the permission boundary is created. If you are using an existing AWS managed policy, provide the managed policy ARN instead. | No |
| Permission Boundary Description | Description for the permission boundary. This description cannot be updated once the permission boundary is created. | No |
# Understanding your integration
After completing the onboarding process, you can build your integration with IAM temporary delegation. A complete integration typically involves three main categories of work:
## 1. User Experience and Workflow Design
Build a front-end experience in the partner application that guides customers through the temporary delegation workflow. Partner application should:
+ Present a clear onboarding or configuration flow where customers can grant temporary access. Label this action clearly, such as "Deploy with IAM temporary delegation".
+ Redirect customers to the AWS Management Console to review and approve the delegation request using the console link returned by the CreateDelegationRequest API
+ Provide appropriate messaging about what permissions are being requested and why. Customers can see this message on the delegation request details page.
+ Handle the customer's return to your application after they complete the approval in AWS.
## 2. API Integration
Use IAM temporary delegation APIs to send and manage delegation requests. Once your AWS accounts are registered, you can access the following APIs:
+ *IAM CreateDelegationRequest* – Creates a delegation request for a customer's AWS account. This API returns a console link that you redirect customers to for reviewing and approving the request.
+ *AWS STS GetDelegatedAccessToken* – Retrieves temporary AWS credentials after a customer approves your delegation request. Use these credentials to perform actions in the customer's account.
Your integration should handle the complete lifecycle of delegation requests, including creating requests, monitoring their status, and retrieving temporary credentials when approved.
## 3. Resource Configuration and Orchestration
Once you obtain temporary credentials, orchestrate the necessary workflows to configure resources in the customer's AWS account. This may include:
+ Calling AWS service APIs directly to create and configure resources
+ Deploying infrastructure using AWS CloudFormation templates
+ Creating IAM roles for ongoing access (requires using permission boundaries)
Your orchestration logic should be idempotent and handle failures gracefully, as customers may need to retry or modify their delegation approvals.
# Understanding permissions
As part of the feature onboarding process, you will need to register policies with IAM that define the permissions you want to request in customers' AWS accounts. The registration process provides a more consistent experience for customers and helps avoid common pitfalls in policy authoring.
During registration, AWS evaluates your policies against a set of validations. These validations are intended to standardize policy formatting and structure, and provide basic protections against known anti-patterns. The validations also reduce the risk of privilege escalations, unintended cross-account access, and broad access to high-value resources in customer accounts.
## Permission Types
AWS will consider two categories of permissions: temporary and long-term.
### Temporary Permissions
Temporary permissions limit the permissions assigned to any temporary delegated access sessions. Temporary permissions are described in policy templates that are applied to the delegated session. The templates support parameters that you supply when you create a delegation request. These parameter values are then bound to the session. The temporary permissions work in the same way as the session policies available in AWS STS today: the policies limit the capability of the underlying user, but do not grant any additional access. For more information, see the AWS STS documentation on session policies.
### Long-Term Permissions
Long-term permissions limit the permissions of any roles that are created or managed via temporary access. Long-term permissions are implemented as IAM permissions boundaries. You may submit one or more permission boundaries to AWS as part of onboarding. Once approved, AWS will share a policy ARN with you that you can reference in your policies.
These boundary policies have two noteworthy features. First, they are immutable. If you want to update permissions, you can register a new permissions boundary. You can then attach the new permissions boundary to your customers' roles by sending a new delegation request. Second, the policies are not templated. Since the same boundary policy is globally shared, they cannot be altered on a per-customer basis.
**Important**
Permission boundaries have a maximum size limit of 6,144 characters.
**Note**
If you would like to update a permission boundary or policy template, contact IAM at aws-iam-partner-onboarding@amazon.com. Once the new permission boundary is registered, you can then send a delegation request to customers to update the IAM role and attach the newly registered permission boundary. See the Examples section for more details.
## Example Use Case: Data Processing Workload
Consider a product provider that runs a data processing workload in customer accounts. The provider needs to set up infrastructure during initial onboarding, but also requires ongoing access to operate the workload.
*Temporary permissions (for initial setup):*
+ Create Amazon EC2 instances, VPC, and security groups
+ Create an Amazon S3 bucket for processed data
+ Create an IAM role for ongoing operations
+ Attach a permission boundary to the IAM role
*Long-term permissions (IAM role with permission boundary for ongoing operations):*
+ Start and stop Amazon EC2 instances to run processing jobs
+ Read input data from Amazon S3 bucket
+ Write processed results to Amazon S3 bucket
The temporary permissions are used once during onboarding to configure the infrastructure. The IAM role created during this process has a permission boundary that limits its maximum permissions to only the operations needed for ongoing workload management. This ensures that even if the role's policies are modified, it cannot exceed the permissions defined in the boundary.
# Policy evaluation guidelines
AWS will evaluate your submitted policies against a set of guidelines. The same evaluation guidelines apply to both policy templates and permission boundaries, with minor differences noted where appropriate.
For the purposes of evaluation, we separate services into distinct groups. The most important distinction is for security-sensitive services, which manage access, credentials, and keys. Policies granting access to these services need to be focused narrowly on the work being done. Security-sensitive services include the following: AWS Identity and Access Management (IAM), AWS Key Management Service (KMS), AWS Resource Access Manager (RAM), AWS IAM Identity Center, AWS Organizations, and AWS Secrets Manager.
A secondary distinction is services that can access data across account boundaries. Policies for these services must include protections to prevent unintentional cross-account access.
## Common validations
All policy statements must follow these guidelines:
+ All statements must include Effect, Action (or NotAction), Resource, and Condition fields in that order
+ All actions within a single statement must be listed alphabetically
+ All ARNs included in the policy must follow the syntax defined in public documentation for the relevant services
+ NotAction fields can only be used in Deny statements
+ Actions in Allow statements must include a service code. Generic wildcards ("\$1") are not allowed
## Security-sensitive service restrictions
The following restrictions apply to security-sensitive services mentioned above:
+ Actions in Allow statements must be more specific than [service]:\$1
+ Actions in Allow statements for temporary access policy templates must not contain wildcards
+ Sensitive actions, such as iam:PassRole or iam:CreateServiceLinkedRole, require additional scoping, such as specific resources or conditional checks. These actions include:
+ IAM role passing
+ IAM role modification actions
+ IAM policy modification actions
+ AWS KMS write or cryptographic operations
+ AWS RAM write or share operations
+ AWS Secrets Manager operations for retrieving or modifying secrets, or modifying resource policies
+ Other actions may use a wildcard resource, such as iam:ListUsers or iam:GetPolicy
+ Actions that manage credentials, such as iam:CreateAccessKey, are blocked
## IAM-specific restrictions
For IAM:
+ Only limited write operations are allowed for IAM roles and policies. You can not request permissions on other IAM resources such as users, groups, and certificates.
+ Policy attachment or inline policy management actions are limited to roles with a permission boundary. Permission boundaries must be partner-supplied or on a list of allowed AWS managed policies. AWS managed policies may be allowed if they do not grant highly privileged or administrative permissions. For example, AWS managed policies for specific job functions or the SecurityAudit policy may be acceptable. AWS will review each AWS managed policy on a case-by-case basis during the onboarding process.
+ Policy management is only allowed for policies with a partner-specific path: arn:aws:iam::@\$1AccountId\$1:policy/partner\$1domain.com/[feature]\$1
+ Tags may only be applied during resource creation, and only for roles and policies
+ iam:PassRole checks must match a specific name or path prefix
## AWS STS-specific restrictions
For AWS STS:
+ sts:AssumeRole must be scoped to a specific role ARN, role ARN prefix, or limited to a set of accounts or organization ID/organizational unit
## IAM Identity Center restrictions
For AWS IAM Identity Center, the following actions are blocked:
+ All actions dealing with permissions management (e.g., sso:AttachCustomerManagedPolicyReferenceToPermissionSet)
+ User, group, and membership modifications for AWS Identity Store
+ Tag management
## AWS Organizations restrictions
For AWS Organizations, only read actions will be allowed.
## Additional service-specific validations
+ Actions that acquire secrets or credentials, such as glue:GetConnection or redshift:GetClusterCredentials, must have conditions matching either full ARNs, ARN prefixes, or tags
+ For Amazon Redshift: redshift:GetClusterCredentials is only allowed on a specific database name, and redshift:GetClusterCredentialsWithIAM is only allowed on a specific workgroup name
**Note**
When managing IAM resources in the account, we recommend using a path that indicates your name, e.g., arn:aws:iam::111122223333:role/partner.com/rolename. This will help differentiate the resources associated with your integration and make discovery, audit, and analysis easier for customers.
## Cross-account access requirements
Statements that potentially allow cross-account access must include at least one of the following:
+ A condition specifying the account or organization for the resource (e.g., aws:ResourceOrgId matching one or more expected values)
+ A Resource field that includes a specific account (e.g., arn:aws:sqs:\$1:111122223333:\$1)
+ A Resource field that includes a non-wildcard account and a full resource name (e.g., arn:aws:s3:::full-bucket-name)
**Note**
Cross-account access is a sensitive capability that requires clear business justification. AWS will carefully review the need for cross-account access during the onboarding process.
# Policy templates
Policy templates are a new IAM construct designed for defining temporary permissions that partners request in customers' accounts. Like regular IAM policies, they define permissions using statements with Effect, Action, Resource, and Condition elements. The key difference is that policy templates include parameters (such as @\$1bucketName\$1) that are replaced with actual values when you create a delegation request.
## How Policy Templates Work
As part of the onboarding process, you register your policy templates with AWS. AWS assigns each template a unique ARN that you reference when creating delegation requests.
When you create a delegation request, you specify:
+ The policy template ARN
+ Parameter values to substitute into the template
AWS combines the template with your parameter values to generate a standard IAM policy. Customers review this final rendered policy when approving your delegation request, seeing exactly what permissions will be granted.
**Note**
The final rendered policy has a maximum size limit of 2048 characters.
Here's a simple example showing how template substitution works.
Policy Template:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::@{bucketName}/*"
}
]
}
```
Parameters Provided in Delegation Request:
```
{
"Name": "bucketName",
"Values": ["customer-data-bucket"],
"Type": "String"
}
```
Final rendered policy (what customers see):
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::customer-data-bucket/*"
}
]
}
```
## Template Syntax
Policy templates use two key features to provide flexibility: parameter substitution and conditional statements. Parameter substitution allows you to define placeholders in your template that are replaced with actual values when creating a delegation request. Conditional statements allow you to include or exclude entire policy statements based on parameter values.
### Parameter Substitution and Types
Use the @\$1parameterName\$1 syntax to define parameters in your policy template. When creating a delegation request, you must specify the type for each parameter.
#### String
A single value that is substituted directly into the template.
Template:
```
"Resource": "arn:aws:s3:::@{bucketName}/*"
```
Parameters:
```
{
"Name": "bucketName",
"Values": ["my-bucket"],
"Type": "String"
}
```
Rendered result:
```
"Resource": "arn:aws:s3:::my-bucket/*"
```
#### StringList
Multiple values that generate multiple resource entries. When a StringList parameter is used in a resource ARN, it expands to create separate resource entries for each value.
Template:
```
"Resource": "arn:aws:s3:::@{bucketNames}/*"
```
Parameters:
```
{
"Name": "bucketNames",
"Values": ["bucket-1", "bucket-2"],
"Type": "StringList"
}
```
Rendered result:
```
"Resource": [
"arn:aws:s3:::bucket-1/*",
"arn:aws:s3:::bucket-2/*"
]
```
#### Cross-Product Behavior
When multiple parameters are used in the same resource ARN, StringList parameters create a cross-product of all combinations.
Template:
```
"Resource": "arn:aws:s3:::@{bucketNames}/@{prefix}/*"
```
Parameters:
```
[
{
"Name": "bucketNames",
"Values": ["bucket-1", "bucket-2"],
"Type": "StringList"
},
{
"Name": "prefix",
"Values": ["data"],
"Type": "String"
}
]
```
Rendered result:
```
"Resource": [
"arn:aws:s3:::bucket-1/data/*",
"arn:aws:s3:::bucket-2/data/*"
]
```
### Conditional Statements
Use the @Enabled directive to conditionally include or exclude entire statements based on parameter values.
Syntax:
+ @Enabled: "parameterName" - Include the statement when parameter value is "True"
+ @Enabled: "\$1parameterName" - Include the statement when parameter value is NOT "True" (negation)
Template:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
},
{
"@Enabled": "ENABLE_S3_WRITE",
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::@{bucketName}/*"
}
]
}
```
Parameters (when ENABLE\$1S3\$1WRITE is "True"):
```
[
{
"Name": "bucketName",
"Values": ["my-bucket"],
"Type": "String"
},
{
"Name": "ENABLE_S3_WRITE",
"Values": ["True"],
"Type": "String"
}
]
```
Rendered result:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
```
Parameters (when ENABLE\$1S3\$1WRITE is "False"):
```
[
{
"Name": "bucketName",
"Values": ["my-bucket"],
"Type": "String"
},
{
"Name": "ENABLE_S3_WRITE",
"Values": ["False"],
"Type": "String"
}
]
```
Rendered result:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "*"
}
]
}
```
When ENABLE\$1S3\$1WRITE is set to "True", the conditional statement is included. When set to "False", the statement is excluded from the rendered policy.
## Additional Examples
The following examples demonstrate common patterns for using policy templates in temporary delegation. They focus on creating IAM roles with permission boundaries for long-term access and show different strategies for scoping permissions to specific resources. These examples illustrate how to balance flexibility with security by using techniques such as ARN prefixes, resource tagging, and permission boundary updates.
### Example 1: Granting Long-Term Access to Specific Resources
The following permission boundary is submitted as "SQSAccessorBoundary" for "partner.com":
```
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:*:*:*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
```
**Note**
This includes a same-account condition to avoid granting access to queues in other accounts with open resource policies. A direct reference to the customer's account ID cannot be included because the boundary is shared across all customers and cannot be templated.
Since this is the first version of this policy, its ARN is arn:aws:iam::partner:policy/permissions-boundary/partner.com/SQSAccessorBoundary\$12025\$101\$115
The following policy template is submitted for temporary access permissions:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:ListQueues"
],
"Resource": "arn:aws:sqs:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::@{AccountId}:role/partner.com/SQSAccessor",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::partner:policy/permissions-boundary/partner.com/SQSAccessorBoundary_2025_01_15"
}
}
}
]
}
```
### Example 2: Using ARN Prefixes
The permission boundary can specify a resource ARN prefix to limit access:
```
"Resource": "arn:aws:sqs:*:@{AccountId}:PartnerPrefix*"
```
This limits access to only the resources with that prefix, reducing the scope of accessible resources.
### Example 3: Using Tags for Resource Access Control
You can tag resources during temporary delegated access and rely on those tags for long-term access control.
Permission boundary allowing access to tagged resources:
```
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:*:*:*",
"Condition": {
"Null": {
"aws:ResourceTag/ManagedByPartnerDotCom": "false"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
```
Policy template to tag new queues on creation:
```
{
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:TagQueue"
],
"Resource": "arn:aws:sqs:*:*:*",
"Condition": {
"Null": {
"aws:RequestTag/ManagedByPartnerDotCom": "false"
}
}
}
```
Policy template to tag pre-existing queues and create the role:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:TagQueue"
],
"Resource": "arn:aws:sqs:*:@{AccountId}:@{QueueName}",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": "ManagedByPartnerDotCom"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePermissionsBoundary",
"iam:PutRolePolicy"
],
"Resource": "arn:aws:iam::@{AccountId}:role/partner.com/SQSAccessor",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::partner:policy/permissions-boundary/partner.com/SQSAccessorBoundary_2025_01_15"
}
}
}
]
}
```
This approach allows customers to explicitly confirm which specific resources can be accessed long-term.
### Example 4: Updating the Permission Boundary
To update a permission boundary, register a new version with a new date suffix and request permission to replace it.
Updated permission boundary with additional permission:
```
{
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:PurgeQueue",
"sqs:ReceiveMessage",
"sqs:SendMessage"
],
"Resource": "arn:aws:sqs:*:*:*",
"Condition": {
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
}
```
As the second version, this policy has the ARN: arn:aws:iam::partner:policy/permissions-boundary/partner.com/SQSAccessorBoundary\$12025\$101\$120
Policy template to update the permission boundary on the existing role:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PutRolePermissionsBoundary"
],
"Resource": "arn:aws:iam::@{AccountId}:role/partner.com/SQSAccessor",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::partner:policy/permissions-boundary/partner.com/SQSAccessorBoundary_2025_01_20"
}
}
}
]
}
```
Customers must approve this delegation request to update the permission boundary on the existing role.
# Building your integration
## Understanding the Request Lifecycle
Before building your integration, it's important to understand how delegation requests progress from creation to completion.
### Request States
A delegation request progresses through the following states:
| State | Description |
| --- | --- |
| Unassigned | Request created but not yet associated with a customer account and an IAM principal. The request may have been created without specifying a target account, or with a target account ID but not yet claimed by the account owner. |
| Assigned | Request associated with a customer account and awaiting review |
| Pending Approval | Customer has forwarded the request to an administrator for approval |
| Accepted | Request approved by customer but exchange token not yet released |
| Finalized | Exchange token released to product provider. The delegation period (exchange token validity) begins when the request reaches Finalized state |
| Rejected | Request rejected by customer |
| Expired | Request expired due to inactivity or timeout |
### State Transitions
*Normal Flow (Approval Path)*
+ Unassigned → Assigned: Customer associates the request with their account
+ Assigned → Accepted OR Assigned → Pending Approval: Customer approves the request directly OR forwards to administrator for review
+ Pending Approval → Accepted: Administrator approves the request
+ Accepted → Finalized: Customer releases the exchange token
*Rejection Path*
+ Assigned → Rejected: Customer rejects the request
+ Pending Approval → Rejected: Administrator rejects the request
+ Accepted → Rejected: Customer revokes approval before releasing token
*Expiration Path*
Requests automatically expire if no action is taken within the specified timeframe:
+ Unassigned → Expired (1 day)
+ Assigned → Expired (7 days)
+ Pending Approval → Expired (7 days)
+ Accepted → Expired (7 days)
+ Rejected → Expired (7 days)
+ Finalized → Expired (7 days)
*Terminal States*
The following states are terminal (no further transitions):
+ Finalized: Exchange Token sent
+ Rejected: Request was denied
+ Expired: Request timed out or delegation period ended
Expired requests are eventually deleted from the system after the retention period.
### Managing delegation request states in your application
As a partner, you must track delegation request states in your system and surface them to your customers. When you receive SNS notifications about state changes, store these updates in your backend and reflect them in your customer-facing UI. Pay special attention to the Pending Approval state—when a customer forwards a request to an administrator for review, AWS sends a Pending Approval notification to you. Requests can remain in this state for up to 7 days while waiting for administrator action. During this time, show customers that their request is pending administrator approval in your application. Consider providing a deep link to the AWS Console where customers can check the request status or follow up with their administrator. Properly handling the state machine in your backend and surfacing the correct state information to customers at each stage is important for a good integration experience.
![\[alt text not found\]](http://docs.aws.amazon.com/IAM/latest/UserGuide/images/delegation-states.png)
## Configuring Notifications
IAM uses Amazon Simple Notification Service (SNS) to communicate delegation request state changes to you. When you create a delegation request, you must provide an SNS topic ARN from your registered AWS account. IAM will publish messages to this topic for important events, including when customers approve or reject requests and when the exchange token is ready.
**Note**
SNS topics cannot be in opt-in AWS Regions. Your SNS topic must be in an AWS Region that is enabled by default. For a list of opt-in Regions, see Managing AWS Regions in the AWS Account Management guide.
### SNS Topic Configuration
To receive delegation request notifications, you must configure your SNS topic to grant IAM permissions to publish messages to it. Add the following policy statement to your SNS topic policy:
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIAMServiceToPublish",
"Effect": "Allow",
"Principal": {
"Service": "iam.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:REGION:ACCOUNT-ID:TOPIC-NAME"
}
]
}
```
**Important**
The SNS topic must be in one of your registered AWS accounts. IAM will not accept SNS topics from other accounts. If the topic policy is not correctly configured, you will not receive state change notifications or the exchange token.
### Notification Types
IAM sends two types of notifications:
*StateChange Notifications*
Sent when a delegation request transitions to a new state (Assigned, Pending Approval, Accepted, Finalized, Rejected, Expired).
*ExchangeToken Notifications*
Sent when a customer releases the delegation token (state Finalized). This notification includes the exchange token you need to obtain credentials.
### Notification States
You will receive notifications for the following delegation request states:
| State | Notification Type | Description |
| --- | --- | --- |
| ASSIGNED | StateChange | Request has been associated with a customer account |
| PENDING APPROVAL | StateChange | Customer has forwarded the request to an administrator for approval |
| ACCEPTED | StateChange | Customer has approved the request but not yet released the token |
| FINALIZED | StateChange | Customer has released the exchange token |
| FINALIZED | ExchangeToken | This notification contains the Exchange Token |
| REJECTED | StateChange | Customer has rejected the request |
| EXPIRED | StateChange | Request expired before completion |
### Notification Message Format
IAM publishes standard SNS notifications. The delegation request information is contained in the Message field as a JSON string.
*Common Fields (All Notifications)*
| Field | Type | Description |
| --- | --- | --- |
| Type | String | Either "StateChange" or "ExchangeToken" |
| RequestId | String | The IAM delegation request ID |
| RequestorWorkflowId | String | The workflow ID you provided when creating the request |
| State | String | Current state of the request |
| OwnerAccountId | String | Customer's AWS account ID |
| UpdatedAt | String | Timestamp when the state changed (ISO 8601 format) |
*Additional Fields (ExchangeToken Notifications Only)*
| Field | Type | Description |
| --- | --- | --- |
| ExchangeToken | String | The token to exchange for credentials using AWS STS GetDelegatedAccessToken API |
| ExpiresAt | String | When the delegated access expires (ISO 8601 format) |
### Example Notifications
*StateChange Notification*
```
{
"Type": "Notification",
"MessageId": "61ee8ad4-6eec-56b5-8f3d-eba57556aa13",
"TopicArn": "arn:aws:sns:us-east-1:123456789012:partner-notifications",
"Message": "{\"RequestorWorkflowId\":\"workflow-12345\",\"Type\":\"StateChange\",\"RequestId\":\"dr-abc123\",\"State\":\"ACCEPTED\",\"OwnerAccountId\":\"111122223333\",\"UpdatedAt\":\"2025-01-15T10:30:00.123Z\"}",
"Timestamp": "2025-01-15T10:30:00.456Z",
"SignatureVersion": "1",
"Signature": "...",
"SigningCertURL": "...",
"UnsubscribeURL": "..."
}
```
*ExchangeToken Notification*
```
{
"Type": "Notification",
"MessageId": "e44e5435-c72c-5333-aba3-354406782f5b",
"TopicArn": "arn:aws:sns:us-east-1:123456789012:partner-notifications",
"Message": "{\"RequestId\":\"dr-abc123\",\"RequestorWorkflowId\":\"workflow-12345\",\"State\":\"FINALIZED\",\"OwnerAccountId\":\"111122223333\",\"ExchangeToken\":\"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\",\"ExpiresAt\":\"2025-01-15T18:30:00.123Z\",\"UpdatedAt\":\"2025-01-15T10:30:00.456Z\",\"Type\":\"ExchangeToken\"}",
"Timestamp": "2025-01-15T10:30:00.789Z",
"SignatureVersion": "1",
"Signature": "...",
"SigningCertURL": "...",
"UnsubscribeURL": "..."
}
```
## Exchange Tokens
An exchange token or a trade in token is issued by IAM when a customer accepts and finalizes a delegation request. The product provider uses this exchange or trade in token to call the AWS STS GetDelegatedAccessToken API to obtain temporary AWS credentials with the permissions customers approved. The exchange token itself does not grant access to your AWS resources; it must be exchanged for actual credentials through AWS STS.
The exchange token can only be redeemed by the product provider account that created the delegation request. The requesting account is embedded in the token, ensuring that only the authorized product provider can obtain credentials to access customer account.
### Access Duration
The delegation period starts when customer releases the exchange token, not when the product provider redeems it. Once customer releases the token:
+ The product provider receives the token via SNS notification
+ They can immediately exchange it for credentials
+ Credentials expire at: release time \$1 approved duration
+ The product provider can exchange the token multiple times before expiration to obtain fresh credentials if needed
### Multiple Redemptions
Product providers can exchange the token multiple times during the validity period to obtain fresh credentials. However, all credentials obtained from the same exchange token expire at the same time, based on when you released the token.
Example: If you approve a 2-hour delegation request and release the token at 10:00 AM:
| Token Release Time | Token Exchange Time | Credential Expiry | Usable Time |
| --- | --- | --- | --- |
| 10:00 am | 10:00 am | 12:00 pm | 2 hours |
| 10:00 am | 10:20 am | 12:00 pm | 1 hour 40 minutes |
| 10:00 am | 11:40 am | 12:00 pm | 20 minutes |
| 10:00 am | 12:10 pm | Failed (token expired) | 0 minutes |
As shown in the table, exchanging the token later in the validity period results in less usable time for the product provider.