Resource-level permissions in AWS User Notifications
Resource-level permissions define the AWS resources that you allow assigned entities (users, groups, and roles) to perform actions on. You specifiy the Amazon Resource Name (ARN) of one or more resources as part of an IAM policy. You can then attach this policy to IAM entities. When the action doesn't act on a named resource, or when you grant permission to perform the action on all resources, the value of the resource in the policy is a wildcard (*).
Note
AWS User Notifications doesn't support resource-based policies, which are directly attached to AWS resources. For more information about the differences between policies and permissions, see Identity-based policies and resource-based policies in the IAM User Guide.
For more information about defining resource-level permissions, see Creating IAM policies in the IAM User Guide.
Supported resource-level permissions for User Notifications API actions
This table describes the User Notifications API actions that currently support resource-level permissions, as well as the supported resources for each action, including their ARNs and ARN format.
| Resource | API action | Resource ARN format | Example |
|---|---|---|---|
|
Notification Configuration |
CreateNotificationConfiguration |
|
|
|
UpdateNotificationConfiguration |
|
|
|
|
DeleteNotificationConfiguration |
|
|
|
|
GetNotificationConfiguration |
|
|
|
|
ListNotificationConfiguration |
|
|
|
|
Event Rule |
CreateEventRule |
|
|
|
UpdateEventRule |
|
|
|
|
DeleteEventRule |
|
|
|
|
GetEventRule |
|
|
|
|
ListEventRules |
|
|
|
|
Channel |
AssociateChannel |
|
|
|
DisassociateChannel |
|
|
|
|
ListChannels |
|
|
|
|
Notification Event |
GetNotificationEvent |
|
|
|
ListNotificationEvents |
|
|
|
|
Notification Hub |
RegisterNotificationHub |
|
|
|
DeregisterNotificationHub |
|
|
|
|
ListNotificationHubs |
|
|
|
|
Email Contacts |
ActivateEmailContact |
|
|
|
CreateEmailContact |
|
|
|
|
DeleteEmailContact |
|
|
|
|
GetEmailContact |
|
|
|
|
ListEmailContacts |
|
|
|
|
ListTagsForResource |
|
|
|
|
SendActivationCode |
|
|
|
|
TagResource |
|
|
|
|
UntagResource |
|
|
Example 1: Administrator access
This policy allows a user to call all available APIs.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "notifications:*", "notifications-contacts:*" ], "Resource": "*" } ] }
Example 2: ReadOnly access
This policy allows a user to use get and list API actions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "notifications:Get*", "notifications:List*", "notifications-contacts:Get*", "notifications-contacts:List*" ], "Resource": "*" } ] }
Example 3: Deny a user the ability to update a notification configuration
This policy denies a user the ability to update a notification configuration.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "notifications:UpdateNotificationConfiguration" ], "Resource": "arn:aws:notifications::123456789012:configuration/a01gkn2k10c7spt0a8x8nj55555" } ] }
