Actions, resources, and condition keys for AWS services
Each AWS service can define actions, resources, and condition context keys for use in IAM policies. This topic describes how the elements provided for each service are documented.
Each topic consists of tables that provide the list of available actions, resources, and condition keys.
The actions table
The Actions table lists all the actions that you can use in an IAM policy statement's Action
element. Not all API operations that are defined by a service can be used as an action in an IAM policy. Some services include permission-only actions that don't directly correspond to an API operation. These actions are indicated with [permission only]. Use this list to determine which actions you can use in an IAM policy. For more information about the Action
, Resource
, or Condition
elements, see IAM JSON policy elements reference. The Actions and Description table columns are self-descriptive.
-
The Access level column describes how the action is classified (List, Read, Write, Permissions management, or Tagging). This classification can help you understand the level of access that an action grants when you use it in a policy. For more information about access levels, see Understanding access level summaries within policy summaries.
-
The Resource types column indicates whether the action supports resource-level permissions. If the column is empty, then the action does not support resource-level permissions and you must specify all resources ("*") in your policy. If the column includes a resource type, then you can specify the resource ARN in the
Resource
element of your policy. For more information about that resource, refer to that row in the Resource types table. All actions and resources that are included in one statement must be compatible with each other. If you specify a resource that is not valid for the action, any request to use that action fails, and the statement'sEffect
does not apply.Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.
-
The Condition keys column includes keys that you can specify in a policy statement's
Condition
element. Condition keys might be supported with an action, or with an action and a specific resource. Pay close attention to whether the key is in the same row as a specific resource type. This table does not include global condition keys that are available for any action or under unrelated circumstances. For more information about global condition keys, see AWS global condition context keys. -
The Dependent actions column includes any additional permissions that you should have, in addition to the permission for the action itself, to successfully call the action. This can be required if the action accesses more than one resource.
Dependent actions are not required in all scenarios. Refer to the individual service's documentation for more information about providing granular permissions to users.
The resource types table
The Resource types table lists all the resource types that you can specify as an ARN in the Resource
policy element. Not every resource type can be specified with every action. Some resource types work with only certain actions. If you specify a resource type in a statement with an action that does not support that resource type, then the statement doesn't allow access. For more information about the Resource
element, see IAM JSON policy elements: Resource.
-
The ARN column specifies the Amazon Resource Name (ARN) format that you must use to reference resources of this type. The portions that are preceded by a $ must be replaced by the actual values for your scenario. For example, if you see
$user-name
in an ARN, you must replace that string with either the actual user's name or a policy variable that contains a user's name. For more information about ARNs, see IAM ARNs. -
The Condition keys column specifies condition context keys that you can include in an IAM policy statement only when both this resource and a supporting action from the table above are included in the statement.
The condition keys table
The condition keys table lists all of the condition context keys that you can use in an IAM policy statement's Condition
element. Not every key can be specified with every action or resource. Certain keys only work with certain types of actions and resources. For more information about the Condition
element, see IAM JSON policy elements: Condition.
-
The Type column specifies the data type of the condition key. This data type determines which condition operators you can use to compare values in the request with the values in the policy statement. You must use an operator that is appropriate for the data type. If you use an incorrect operator, then the match always fails and the policy statement never applies.
If the Type column specifies a "List of …" one of the simple types, then you can use multiple keys and values in your policies. Do this using condition set prefixes with your operators. Use the
ForAllValues
prefix to specify that all values in the request must match a value in the policy statement. Use theForAnyValue
prefix to specify that at least one value in the request matches one of the values in the policy statement.
Topics
- AWS Account Management
- AWS Activate
- Amazon AI Operations
- Alexa for Business
- AmazonMediaImport
- AWS Amplify
- AWS Amplify Admin
- AWS Amplify UI Builder
- Apache Kafka APIs for Amazon MSK clusters
- Amazon API Gateway
- Amazon API Gateway Management
- Amazon API Gateway Management V2
- AWS App Mesh
- AWS App Mesh Preview
- AWS App Runner
- AWS App Studio
- AWS App2Container
- AWS AppConfig
- AWS AppFabric
- Amazon AppFlow
- Amazon AppIntegrations
- AWS Application Auto Scaling
- AWS Application Cost Profiler Service
- Application Discovery Arsenal
- AWS Application Discovery Service
- AWS Application Migration Service
- Amazon Application Recovery Controller - Zonal Shift
- AWS Application Transformation Service
- Amazon AppStream 2.0
- AWS AppSync
- AWS Artifact
- Amazon Athena
- AWS Audit Manager
- Amazon Aurora DSQL
- AWS Auto Scaling
- AWS B2B Data Interchange
- AWS Backup
- AWS Backup Gateway
- AWS Backup Search
- AWS Backup storage
- AWS Batch
- Amazon Bedrock
- AWS Billing
- AWS Billing And Cost Management Data Exports
- AWS Billing And Cost Management Pricing Calculator
- AWS Billing Conductor
- AWS Billing Console
- Amazon Braket
- AWS Budget Service
- AWS BugBust
- AWS Certificate Manager
- AWS Chatbot
- Amazon Chime
- AWS Clean Rooms
- AWS Clean Rooms ML
- AWS Cloud Control API
- Amazon Cloud Directory
- AWS Cloud Map
- AWS Cloud9
- AWS CloudFormation
- Amazon CloudFront
- Amazon CloudFront KeyValueStore
- AWS CloudHSM
- Amazon CloudSearch
- AWS CloudShell
- AWS CloudTrail
- AWS CloudTrail Data
- Amazon CloudWatch
- Amazon CloudWatch Application Insights
- Amazon CloudWatch Application Signals
- Amazon CloudWatch Evidently
- Amazon CloudWatch Internet Monitor
- Amazon CloudWatch Logs
- Amazon CloudWatch Network Monitor
- Amazon CloudWatch Observability Access Manager
- Amazon CloudWatch Observability Admin Service
- AWS CloudWatch RUM
- Amazon CloudWatch Synthetics
- AWS CodeArtifact
- AWS CodeBuild
- Amazon CodeCatalyst
- AWS CodeCommit
- AWS CodeConnections
- AWS CodeDeploy
- AWS CodeDeploy secure host commands service
- Amazon CodeGuru
- Amazon CodeGuru Profiler
- Amazon CodeGuru Reviewer
- Amazon CodeGuru Security
- AWS CodePipeline
- AWS CodeStar
- AWS CodeStar Connections
- AWS CodeStar Notifications
- Amazon CodeWhisperer
- Amazon Cognito Identity
- Amazon Cognito Sync
- Amazon Cognito User Pools
- Amazon Comprehend
- Amazon Comprehend Medical
- AWS Compute Optimizer
- AWS Config
- Amazon Connect
- Amazon Connect Cases
- Amazon Connect Customer Profiles
- Amazon Connect Outbound Campaigns
- Amazon Connect Voice ID
- AWS Connector Service
- AWS Management Console Mobile App
- AWS Consolidated Billing
- AWS Control Catalog
- AWS Control Tower
- AWS Cost and Usage Report
- AWS Cost Explorer Service
- AWS Cost Optimization Hub
- AWS Customer Verification Service
- AWS Data Exchange
- Amazon Data Lifecycle Manager
- AWS Data Pipeline
- AWS Database Migration Service
- Database Query Metadata Service
- AWS DataSync
- Amazon DataZone
- AWS Deadline Cloud
- AWS DeepComposer
- AWS DeepLens
- AWS DeepRacer
- Amazon Detective
- AWS Device Farm
- Amazon DevOps Guru
- AWS Diagnostic tools
- AWS Direct Connect
- AWS Directory Service
- AWS Directory Service Data
- Amazon DocumentDB Elastic Clusters
- Amazon DynamoDB
- Amazon DynamoDB Accelerator (DAX)
- Amazon EC2
- Amazon EC2 Auto Scaling
- Amazon EC2 Image Builder
- Amazon EC2 Instance Connect
- Amazon EKS Auth
- AWS Elastic Beanstalk
- Amazon Elastic Block Store
- Amazon Elastic Container Registry
- Amazon Elastic Container Registry Public
- Amazon Elastic Container Service
- AWS Elastic Disaster Recovery
- Amazon Elastic File System
- Amazon Elastic Inference
- Amazon Elastic Kubernetes Service
- AWS Elastic Load Balancing
- AWS Elastic Load Balancing V2
- Amazon Elastic MapReduce
- Amazon Elastic Transcoder
- Amazon ElastiCache
- AWS Elemental Appliances and Software
- AWS Elemental Appliances and Software Activation Service
- AWS Elemental MediaConnect
- AWS Elemental MediaConvert
- AWS Elemental MediaLive
- AWS Elemental MediaPackage
- AWS Elemental MediaPackage V2
- AWS Elemental MediaPackage VOD
- AWS Elemental MediaStore
- AWS Elemental MediaTailor
- AWS Elemental Support Cases
- AWS Elemental Support Content
- Amazon EMR on EKS (EMR Containers)
- Amazon EMR Serverless
- AWS End User Messaging SMS and Voice V2
- AWS End User Messaging Social
- AWS Entity Resolution
- Amazon EventBridge
- Amazon EventBridge Pipes
- Amazon EventBridge Scheduler
- Amazon EventBridge Schemas
- AWS Fault Injection Service
- Amazon FinSpace
- Amazon FinSpace API
- AWS Firewall Manager
- Amazon Forecast
- Amazon Fraud Detector
- AWS Free Tier
- Amazon FreeRTOS
- Amazon FSx
- Amazon GameLift
- AWS Global Accelerator
- AWS Glue
- AWS Glue DataBrew
- AWS Ground Station
- Amazon GroundTruth Labeling
- Amazon GuardDuty
- AWS Health APIs and Notifications
- AWS HealthImaging
- AWS HealthLake
- AWS HealthOmics
- Amazon Honeycode
- AWS IAM Access Analyzer
- AWS IAM Identity Center (successor to AWS Single Sign-On)
- AWS IAM Identity Center (successor to AWS Single Sign-On) directory
- AWS IAM Identity Center OIDC service
- AWS Identity and Access Management (IAM)
- AWS Identity and Access Management Roles Anywhere
- AWS Identity Store
- AWS Identity Store Auth
- AWS Identity Sync
- AWS Import Export Disk Service
- Amazon Inspector
- Amazon Inspector2
- Amazon InspectorScan
- Amazon Interactive Video Service
- Amazon Interactive Video Service Chat
- AWS Invoicing Service
- AWS IoT
- AWS IoT 1-Click
- AWS IoT Analytics
- AWS IoT Core Device Advisor
- AWS IoT Device Tester
- AWS IoT Events
- AWS IoT Fleet Hub for Device Management
- AWS IoT FleetWise
- AWS IoT Greengrass
- AWS IoT Greengrass V2
- AWS IoT Jobs DataPlane
- AWS IoT SiteWise
- AWS IoT TwinMaker
- AWS IoT Wireless
- AWS IQ
- AWS IQ Permissions
- Amazon Kendra
- Amazon Kendra Intelligent Ranking
- AWS Key Management Service
- Amazon Keyspaces (for Apache Cassandra)
- Amazon Kinesis Analytics
- Amazon Kinesis Analytics V2
- Amazon Kinesis Data Streams
- Amazon Kinesis Firehose
- Amazon Kinesis Video Streams
- AWS Lake Formation
- AWS Lambda
- AWS Launch Wizard
- Amazon Lex
- Amazon Lex V2
- AWS License Manager
- AWS License Manager Linux Subscriptions Manager
- AWS License Manager User Subscriptions
- Amazon Lightsail
- Amazon Location
- Amazon Location Service Maps
- Amazon Location Service Places
- Amazon Location Service Routes
- Amazon Lookout for Equipment
- Amazon Lookout for Metrics
- Amazon Lookout for Vision
- Amazon Machine Learning
- Amazon Macie
- AWS Mainframe Modernization Application Testing
- AWS Mainframe Modernization Service
- Amazon Managed Blockchain
- Amazon Managed Blockchain Query
- Amazon Managed Grafana
- Amazon Managed Service for Prometheus
- Amazon Managed Streaming for Apache Kafka
- Amazon Managed Streaming for Kafka Connect
- Amazon Managed Workflows for Apache Airflow
- AWS Marketplace
- AWS Marketplace Catalog
- AWS Marketplace Commerce Analytics Service
- AWS Marketplace Deployment Service
- AWS Marketplace Discovery
- AWS Marketplace Entitlement Service
- AWS Marketplace Image Building Service
- AWS Marketplace Management Portal
- AWS Marketplace Metering Service
- AWS Marketplace Private Marketplace
- AWS Marketplace Procurement Systems Integration
- AWS Marketplace Reporting
- AWS Marketplace Seller Reporting
- AWS Marketplace Vendor Insights
- Amazon Mechanical Turk
- Amazon MemoryDB
- Amazon Message Delivery Service
- Amazon Message Gateway Service
- AWS Microservice Extractor for .NET
- AWS Migration Acceleration Program Credits
- AWS Migration Hub
- AWS Migration Hub Orchestrator
- AWS Migration Hub Refactor Spaces
- AWS Migration Hub Strategy Recommendations
- Amazon Mobile Analytics
- Amazon Monitron
- Amazon MQ
- Amazon Neptune
- Amazon Neptune Analytics
- AWS Network Firewall
- Network Flow Monitor
- AWS Network Manager
- AWS Network Manager Chat
- Amazon Nimble Studio
- Amazon One Enterprise
- Amazon OpenSearch
- Amazon OpenSearch Ingestion
- Amazon OpenSearch Serverless
- Amazon OpenSearch Service
- AWS OpsWorks
- AWS OpsWorks Configuration Management
- AWS Organizations
- AWS Outposts
- AWS Panorama
- AWS Parallel Computing Service
- AWS Partner central account management
- AWS Partner Central Selling
- AWS Payment Cryptography
- AWS Payments
- AWS Performance Insights
- Amazon Personalize
- Amazon Pinpoint
- Amazon Pinpoint Email Service
- Amazon Pinpoint SMS and Voice Service
- Amazon Polly
- AWS Price List
- AWS Private CA Connector for Active Directory
- AWS Private CA Connector for SCEP
- AWS Private Certificate Authority
- AWS PrivateLink
- AWS Proton
- AWS Purchase Orders Console
- Amazon Q
- Amazon Q Business
- Amazon Q Business Q Apps
- Amazon Q in Connect
- Amazon QLDB
- Amazon QuickSight
- Amazon RDS
- Amazon RDS Data API
- Amazon RDS IAM Authentication
- AWS Recycle Bin
- Amazon Redshift
- Amazon Redshift Data API
- Amazon Redshift Serverless
- Amazon Rekognition
- AWS rePost Private
- AWS Resilience Hub
- AWS Resource Access Manager (RAM)
- AWS Resource Explorer
- Amazon Resource Group Tagging API
- AWS Resource Groups
- Amazon RHEL Knowledgebase Portal
- AWS RoboMaker
- Amazon Route 53
- Amazon Route 53 Domains
- Amazon Route 53 Profiles
- Amazon Route 53 Recovery Cluster
- Amazon Route 53 Recovery Controls
- Amazon Route 53 Recovery Readiness
- Amazon Route 53 Resolver
- Amazon S3
- Amazon S3 Express
- Amazon S3 Glacier
- Amazon S3 Object Lambda
- Amazon S3 on Outposts
- Amazon S3 Tables
- Amazon SageMaker
- Amazon SageMaker data science assistant
- Amazon SageMaker geospatial capabilities
- Amazon SageMaker Ground Truth Synthetic
- Amazon SageMaker with MLflow
- AWS Savings Plans
- AWS Secrets Manager
- AWS Security Hub
- AWS Security Incident Response
- Amazon Security Lake
- AWS Security Token Service
- AWS Server Migration Service
- AWS Serverless Application Repository
- AWS Service Catalog
- AWS service providing managed private networks
- Service Quotas
- Amazon SES
- AWS Shield
- AWS Signer
- AWS Signin
- Amazon Simple Email Service - Mail Manager
- Amazon Simple Email Service v2
- Amazon Simple Workflow Service
- Amazon SimpleDB
- AWS SimSpace Weaver
- AWS Snow Device Management
- AWS Snowball
- Amazon SNS
- AWS SQL Workbench
- Amazon SQS
- AWS Step Functions
- AWS Storage Gateway
- AWS Supply Chain
- AWS Support
- AWS Support App in Slack
- AWS Support Plans
- AWS Support Recommendations
- AWS Sustainability
- AWS Systems Manager
- AWS Systems Manager for SAP
- AWS Systems Manager GUI Connect
- AWS Systems Manager Incident Manager
- AWS Systems Manager Incident Manager Contacts
- AWS Systems Manager Quick Setup
- Tag Editor
- AWS Tax Settings
- AWS Telco Network Builder
- Amazon Textract
- Amazon Timestream
- Amazon Timestream InfluxDB
- AWS Tiros
- Amazon Transcribe
- AWS Transfer Family
- Amazon Translate
- AWS Trusted Advisor
- AWS User Notifications
- AWS User Notifications Contacts
- AWS User Subscriptions
- AWS Verified Access
- Amazon Verified Permissions
- Amazon VPC Lattice
- Amazon VPC Lattice Services
- AWS WAF
- AWS WAF Regional
- AWS WAF V2
- AWS Well-Architected Tool
- AWS Wickr
- Amazon WorkDocs
- Amazon WorkLink
- Amazon WorkMail
- Amazon WorkMail Message Flow
- Amazon WorkSpaces
- Amazon WorkSpaces Application Manager
- Amazon WorkSpaces Secure Browser
- Amazon WorkSpaces Thin Client
- AWS X-Ray