Actions, resources, and condition keys for AWS services

The Access level column describes how the action is classified (List, Read, Write, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see Understanding access level summaries within policy summaries.

The Resource types column indicates whether the action supports resource-level permissions. If the column is empty, then the action does not support resource-level permissions and you must specify all resources ("*") in your policy. If the column includes a resource type, then you can specify the resource ARN in the Resource element of your policy. For more information about that resource, refer to that row in the Resource types table. All actions and resources that are included in one statement must be compatible with each other. If you specify a resource that is not valid for the action, any request to use that action fails, and the statement's Effect does not apply.

Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

The Condition keys column includes keys that you can specify in a policy statement's Condition element. Condition keys might be supported with an action, or with an action and a specific resource. Pay close attention to whether the key is in the same row as a specific resource type. This table does not include global condition keys that are available for any action or under unrelated circumstances. For more information about global condition keys, see AWS global condition context keys.

The Dependent actions column includes any additional permissions that you should have, in addition to the permission for the action itself, to successfully call the action. This can be required if the action accesses more than one resource.

Dependent actions are not required in all scenarios. Refer to the individual service's documentation for more information about providing granular permissions to users.

The ARN column specifies the Amazon Resource Name (ARN) format that you must use to reference resources of this type. The portions that are preceded by a $ must be replaced by the actual values for your scenario. For example, if you see $user-name in an ARN, you must replace that string with either the actual user's name or a policy variable that contains a user's name. For more information about ARNs, see IAM ARNs.

The Condition keys column specifies condition context keys that you can include in an IAM policy statement only when both this resource and a supporting action from the table above are included in the statement.

The Type column specifies the data type of the condition key. This data type determines which condition operators you can use to compare values in the request with the values in the policy statement. You must use an operator that is appropriate for the data type. If you use an incorrect operator, then the match always fails and the policy statement never applies.

If the Type column specifies a "List of …" one of the simple types, then you can use multiple keys and values in your policies. Do this using condition set prefixes with your operators. Use the ForAllValues prefix to specify that all values in the request must match a value in the policy statement. Use the ForAnyValue prefix to specify that at least one value in the request matches one of the values in the policy statement.