Actions, resources, and condition keys for Amazon ElastiCache - Service Authorization Reference

Actions, resources, and condition keys for Amazon ElastiCache

Amazon ElastiCache (service prefix: elasticache) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon ElastiCache

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Note

When you create an ElastiCache policy in IAM you must use the "*" wildcard character for the Resource block. For information about using the following ElastiCache API actions in an IAM policy, see ElastiCache Actions and IAM in the Amazon ElastiCache User Guide.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AddTagsToResource Grants permission to add tags to an ElastiCache resource Tagging

cluster

parametergroup

replicationgroup

reserved-instance

securitygroup

serverlesscache

serverlesscachesnapshot

snapshot

subnetgroup

user

usergroup

aws:TagKeys

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

AuthorizeCacheSecurityGroupIngress Grants permission to authorize an EC2 security group on a ElastiCache security group Write

securitygroup*

ec2:AuthorizeSecurityGroupIngress

aws:ResourceTag/${TagKey}

BatchApplyUpdateAction Grants permission to apply ElastiCache service updates to sets of clusters and replication groups Write

cluster

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

s3:GetObject

replicationgroup

aws:ResourceTag/${TagKey}

BatchStopUpdateAction Grants permission to stop ElastiCache service updates from being executed on a set of clusters Write

cluster

replicationgroup

aws:ResourceTag/${TagKey}

CompleteMigration Grants permission to complete an online migration of data from hosted Redis on Amazon EC2 to ElastiCache Write

cluster

replicationgroup

aws:ResourceTag/${TagKey}

Connect Grants permission to connect as a specified ElastiCache user to an ElastiCache Replication Group or ElastiCache serverless cache Write

user*

replicationgroup

serverlesscache

aws:ResourceTag/${TagKey}

CopyServerlessCacheSnapshot Grants permission to make a copy of an existing serverless cache snapshot Write

serverlesscachesnapshot*

aws:ResourceTag/${TagKey}

elasticache:KmsKeyId

elasticache:AddTagsToResource

aws:RequestTag/${TagKey}

aws:TagKeys

CopySnapshot Grants permission to make a copy of an existing snapshot Write

snapshot*

elasticache:AddTagsToResource

s3:DeleteObject

s3:GetBucketAcl

s3:PutObject

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:KmsKeyId

CreateCacheCluster Grants permission to create a cache cluster Write

parametergroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

elasticache:AddTagsToResource

s3:GetObject

cluster

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:CacheNodeType

elasticache:EngineVersion

elasticache:EngineType

elasticache:MultiAZEnabled

elasticache:AuthTokenEnabled

elasticache:SnapshotRetentionLimit

elasticache:CacheParameterGroupName

replicationgroup

elasticache:CacheNodeType

elasticache:EngineVersion

elasticache:EngineType

elasticache:MultiAZEnabled

elasticache:AuthTokenEnabled

elasticache:SnapshotRetentionLimit

elasticache:CacheParameterGroupName

securitygroup

snapshot

subnetgroup

aws:ResourceTag/${TagKey}

CreateCacheParameterGroup Grants permission to create a parameter group Write

parametergroup*

elasticache:AddTagsToResource

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:CacheParameterGroupName

CreateCacheSecurityGroup Grants permission to create a cache security group Write

securitygroup*

elasticache:AddTagsToResource

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

CreateCacheSubnetGroup Grants permission to create a cache subnet group Write

subnetgroup*

elasticache:AddTagsToResource

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

CreateGlobalReplicationGroup Grants permission to create a global replication group Write

globalreplicationgroup*

replicationgroup*

aws:ResourceTag/${TagKey}

CreateReplicationGroup Grants permission to create a replication group Write

parametergroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

elasticache:AddTagsToResource

s3:GetObject

cluster

globalreplicationgroup

elasticache:NumNodeGroups

elasticache:CacheNodeType

elasticache:ReplicasPerNodeGroup

elasticache:EngineVersion

elasticache:EngineType

elasticache:AtRestEncryptionEnabled

elasticache:TransitEncryptionEnabled

elasticache:AutomaticFailoverEnabled

elasticache:MultiAZEnabled

elasticache:ClusterModeEnabled

elasticache:AuthTokenEnabled

elasticache:SnapshotRetentionLimit

elasticache:KmsKeyId

elasticache:CacheParameterGroupName

replicationgroup

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:NumNodeGroups

elasticache:CacheNodeType

elasticache:ReplicasPerNodeGroup

elasticache:EngineVersion

elasticache:EngineType

elasticache:AtRestEncryptionEnabled

elasticache:TransitEncryptionEnabled

elasticache:AutomaticFailoverEnabled

elasticache:MultiAZEnabled

elasticache:ClusterModeEnabled

elasticache:AuthTokenEnabled

elasticache:SnapshotRetentionLimit

elasticache:KmsKeyId

elasticache:CacheParameterGroupName

securitygroup

snapshot

subnetgroup

usergroup

aws:ResourceTag/${TagKey}

CreateServerlessCache Grants permission to create a serverless cache Write

serverlesscache*

aws:ResourceTag/${TagKey}

elasticache:EngineType

elasticache:EngineVersion

elasticache:SnapshotRetentionLimit

elasticache:KmsKeyId

elasticache:MinimumDataStorage

elasticache:MaximumDataStorage

elasticache:DataStorageUnit

elasticache:MinimumECPUPerSecond

elasticache:MaximumECPUPerSecond

ec2:CreateTags

ec2:CreateVpcEndpoint

ec2:DeleteVpcEndpoints

ec2:DescribeSecurityGroups

ec2:DescribeSubnets

ec2:DescribeTags

ec2:DescribeVpcEndpoints

ec2:DescribeVpcs

elasticache:AddTagsToResource

s3:GetObject

serverlesscachesnapshot

aws:ResourceTag/${TagKey}

snapshot

aws:ResourceTag/${TagKey}

usergroup

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

CreateServerlessCacheSnapshot Grants permission to create a copy of a serverless cache at a specific moment in time Write

serverlesscache*

aws:ResourceTag/${TagKey}

elasticache:AddTagsToResource

serverlesscachesnapshot*

aws:ResourceTag/${TagKey}

elasticache:KmsKeyId

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSnapshot Grants permission to create a copy of an entire Redis cluster at a specific moment in time Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:KmsKeyId

elasticache:AddTagsToResource

s3:DeleteObject

s3:GetBucketAcl

s3:PutObject

cluster

replicationgroup

aws:ResourceTag/${TagKey}

CreateUser Grants permission to create a user for Redis. Users are supported from Redis 6.0 onwards Write

user*

elasticache:AddTagsToResource

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

elasticache:UserAuthenticationMode

CreateUserGroup Grants permission to create a user group for Redis. Groups are supported from Redis 6.0 onwards Write

user*

elasticache:AddTagsToResource

usergroup*

aws:RequestTag/${TagKey}

aws:TagKeys

aws:ResourceTag/${TagKey}

DecreaseNodeGroupsInGlobalReplicationGroup Grants permission to decrease the number of node groups in global replication groups Write

globalreplicationgroup*

elasticache:NumNodeGroups

DecreaseReplicaCount Grants permission to decrease the number of replicas in a Redis (cluster mode disabled) replication group or the number of replica nodes in one or more node groups (shards) of a Redis (cluster mode enabled) replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:ResourceTag/${TagKey}

elasticache:ReplicasPerNodeGroup

DeleteCacheCluster Grants permission to delete a previously provisioned cluster Write

cluster*

aws:ResourceTag/${TagKey}

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

snapshot

DeleteCacheParameterGroup Grants permission to delete the specified cache parameter group Write

parametergroup*

aws:ResourceTag/${TagKey}

elasticache:CacheParameterGroupName

DeleteCacheSecurityGroup Grants permission to delete a cache security group Write

securitygroup*

aws:ResourceTag/${TagKey}

DeleteCacheSubnetGroup Grants permission to delete a cache subnet group Write

subnetgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:ResourceTag/${TagKey}

DeleteGlobalReplicationGroup Grants permission to delete an existing global replication group Write

globalreplicationgroup*

DeleteReplicationGroup Grants permission to delete an existing replication group Write

replicationgroup*

aws:ResourceTag/${TagKey}

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

snapshot

DeleteServerlessCache Grants permission to delete a serverless cache Write

serverlesscache*

aws:ResourceTag/${TagKey}

ec2:DescribeTags

serverlesscachesnapshot

DeleteServerlessCacheSnapshot Grants permission to delete a serverless cache snapshot Write

serverlesscachesnapshot*

aws:ResourceTag/${TagKey}

DeleteSnapshot Grants permission to delete an existing snapshot Write

snapshot*

aws:ResourceTag/${TagKey}

DeleteUser Grants permission to delete an existing user and thus remove it from all user groups and replication groups where it was assigned Write

user*

aws:ResourceTag/${TagKey}

DeleteUserGroup Grants permission to delete an existing user group Write

usergroup*

aws:ResourceTag/${TagKey}

DescribeCacheClusters Grants permission to list information about provisioned cache clusters List

cluster*

aws:ResourceTag/${TagKey}

DescribeCacheEngineVersions Grants permission to list available cache engines and their versions List
DescribeCacheParameterGroups Grants permission to list cache parameter group descriptions List

parametergroup*

aws:ResourceTag/${TagKey}

DescribeCacheParameters Grants permission to retrieve the detailed parameter list for a particular cache parameter group List

parametergroup*

aws:ResourceTag/${TagKey}

DescribeCacheSecurityGroups Grants permission to list cache security group descriptions List

securitygroup*

aws:ResourceTag/${TagKey}

DescribeCacheSubnetGroups Grants permission to list cache subnet group descriptions List

subnetgroup*

aws:ResourceTag/${TagKey}

DescribeEngineDefaultParameters Grants permission to retrieve the default engine and system parameter information for the specified cache engine List
DescribeEvents Grants permission to list events related to clusters, cache security groups, and cache parameter groups List
DescribeGlobalReplicationGroups Grants permission to list information about global replication groups List

globalreplicationgroup*

DescribeReplicationGroups Grants permission to list information about provisioned replication groups List

replicationgroup*

aws:ResourceTag/${TagKey}

DescribeReservedCacheNodes Grants permission to list information about purchased reserved cache nodes List

reserved-instance*

aws:ResourceTag/${TagKey}

DescribeReservedCacheNodesOfferings Grants permission to list available reserved cache node offerings List
DescribeServerlessCacheSnapshots Grants permission to list information about serverless cache snapshots List

serverlesscachesnapshot*

aws:ResourceTag/${TagKey}

serverlesscache

aws:ResourceTag/${TagKey}

DescribeServerlessCaches Grants permission to list serverless caches List

serverlesscache*

aws:ResourceTag/${TagKey}

DescribeServiceUpdates Grants permission to list details of the service updates List
DescribeSnapshots Grants permission to list information about cluster or replication group snapshots List

snapshot*

aws:ResourceTag/${TagKey}

DescribeUpdateActions Grants permission to list details of the update actions for a set of clusters or replication groups List

cluster

replicationgroup

aws:ResourceTag/${TagKey}

DescribeUserGroups Grants permission to list information about Redis user groups List

usergroup*

aws:ResourceTag/${TagKey}

DescribeUsers Grants permission to list information about Redis users List

user*

aws:ResourceTag/${TagKey}

DisassociateGlobalReplicationGroup Grants permission to remove a secondary replication group from the global replication group Write

globalreplicationgroup*

ExportServerlessCacheSnapshot Grants permission to export a copy of a serverless cache at a specific moment in time to s3 bucket Write

serverlesscachesnapshot*

aws:ResourceTag/${TagKey}

s3:DeleteObject

s3:ListAllMyBuckets

s3:PutObject

FailoverGlobalReplicationGroup Grants permission to failover the primary region to a selected secondary region of a global replication group Write

globalreplicationgroup*

IncreaseNodeGroupsInGlobalReplicationGroup Grants permission to increase the number of node groups in a global replication group Write

globalreplicationgroup*

elasticache:NumNodeGroups

IncreaseReplicaCount Grants permission to increase the number of replicas in a Redis (cluster mode disabled) replication group or the number of replica nodes in one or more node groups (shards) of a Redis (cluster mode enabled) replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:ResourceTag/${TagKey}

elasticache:ReplicasPerNodeGroup

InterruptClusterAzPower [permission only] Grants permission to test an AZ power interruption for an ElastiCache resource Write

replicationgroup*

aws:ResourceTag/${TagKey}

ListAllowedNodeTypeModifications Grants permission to list available node type that can be used to scale a particular Redis cluster or replication group List

cluster

replicationgroup

aws:ResourceTag/${TagKey}

ListTagsForResource Grants permission to list tags for an ElastiCache resource Read

cluster

parametergroup

replicationgroup

reserved-instance

securitygroup

serverlesscache

serverlesscachesnapshot

snapshot

subnetgroup

user

usergroup

aws:ResourceTag/${TagKey}

ModifyCacheCluster Grants permission to modify settings for a cluster Write

cluster*

elasticache:CacheNodeType

elasticache:EngineVersion

elasticache:MultiAZEnabled

elasticache:AuthTokenEnabled

elasticache:SnapshotRetentionLimit

elasticache:CacheParameterGroupName

parametergroup

securitygroup

aws:ResourceTag/${TagKey}

ModifyCacheParameterGroup Grants permission to modify parameters of a cache parameter group Write

parametergroup*

aws:ResourceTag/${TagKey}

elasticache:CacheParameterGroupName

ModifyCacheSubnetGroup Grants permission to modify an existing cache subnet group Write

subnetgroup*

aws:ResourceTag/${TagKey}

ModifyGlobalReplicationGroup Grants permission to modify settings for a global replication group Write

globalreplicationgroup*

elasticache:CacheNodeType

elasticache:EngineVersion

elasticache:AutomaticFailoverEnabled

ModifyReplicationGroup Grants permission to modify the settings for a replication group Write

replicationgroup*

elasticache:CacheNodeType

elasticache:EngineVersion

elasticache:AutomaticFailoverEnabled

elasticache:MultiAZEnabled

elasticache:AuthTokenEnabled

elasticache:SnapshotRetentionLimit

elasticache:CacheParameterGroupName

elasticache:TransitEncryptionEnabled

elasticache:ClusterModeEnabled

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

parametergroup

securitygroup

usergroup

aws:ResourceTag/${TagKey}

ModifyReplicationGroupShardConfiguration Grants permission to add shards, remove shards, or rebalance the keyspaces among existing shards of a replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:ResourceTag/${TagKey}

elasticache:NumNodeGroups

ModifyServerlessCache Grants permission to modify parameters for a serverless cache Write

serverlesscache*

aws:ResourceTag/${TagKey}

elasticache:EngineVersion

elasticache:SnapshotRetentionLimit

elasticache:MinimumDataStorage

elasticache:MaximumDataStorage

elasticache:DataStorageUnit

elasticache:MinimumECPUPerSecond

elasticache:MaximumECPUPerSecond

ec2:DescribeSecurityGroups

ec2:DescribeTags

usergroup

aws:ResourceTag/${TagKey}

ModifyUser Grants permission to change Redis user password(s) and/or access string Write

user*

aws:ResourceTag/${TagKey}

elasticache:UserAuthenticationMode

ModifyUserGroup Grants permission to change list of users that belong to the user group Write

user*

usergroup*

aws:ResourceTag/${TagKey}

PurchaseReservedCacheNodesOffering Grants permission to purchase a reserved cache node offering Write

reserved-instance*

elasticache:AddTagsToResource

aws:ResourceTag/${TagKey}

aws:RequestTag/${TagKey}

aws:TagKeys

RebalanceSlotsInGlobalReplicationGroup Grants permission to perform a key space rebalance operation to redistribute slots and ensure uniform key distribution across existing shards in a global replication group Write

globalreplicationgroup*

RebootCacheCluster Grants permission to reboot some, or all, of the cache nodes within a provisioned cache cluster or replication group (cluster mode disabled) Write

cluster*

aws:ResourceTag/${TagKey}

RemoveTagsFromResource Grants permission to remove tags from a ElastiCache resource Tagging

cluster

parametergroup

replicationgroup

reserved-instance

securitygroup

serverlesscache

serverlesscachesnapshot

snapshot

subnetgroup

user

usergroup

aws:TagKeys

aws:ResourceTag/${TagKey}

ResetCacheParameterGroup Grants permission to modify parameters of a cache parameter group back to their default values Write

parametergroup*

aws:ResourceTag/${TagKey}

elasticache:CacheParameterGroupName

RevokeCacheSecurityGroupIngress Grants permission to remove an EC2 security group ingress from a ElastiCache security group Write

securitygroup*

aws:ResourceTag/${TagKey}

StartMigration Grants permission to start a migration of data from hosted Redis on Amazon EC2 to ElastiCache for Redis Write

replicationgroup*

aws:ResourceTag/${TagKey}

TestFailover Grants permission to test automatic failover on a specified node group in a replication group Write

replicationgroup*

ec2:CreateNetworkInterface

ec2:DeleteNetworkInterface

ec2:DescribeNetworkInterfaces

ec2:DescribeSubnets

ec2:DescribeVpcs

aws:ResourceTag/${TagKey}

TestMigration Grants permission to test a migration of data from hosted Redis on Amazon EC2 to ElastiCache for Redis Write

replicationgroup*

aws:ResourceTag/${TagKey}

Resource types defined by Amazon ElastiCache

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
parametergroup arn:${Partition}:elasticache:${Region}:${Account}:parametergroup:${CacheParameterGroupName}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

elasticache:CacheParameterGroupName

securitygroup arn:${Partition}:elasticache:${Region}:${Account}:securitygroup:${CacheSecurityGroupName}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

subnetgroup arn:${Partition}:elasticache:${Region}:${Account}:subnetgroup:${CacheSubnetGroupName}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

replicationgroup arn:${Partition}:elasticache:${Region}:${Account}:replicationgroup:${ReplicationGroupId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

elasticache:AtRestEncryptionEnabled

elasticache:AuthTokenEnabled

elasticache:AutomaticFailoverEnabled

elasticache:CacheNodeType

elasticache:CacheParameterGroupName

elasticache:ClusterModeEnabled

elasticache:EngineType

elasticache:EngineVersion

elasticache:KmsKeyId

elasticache:MultiAZEnabled

elasticache:NumNodeGroups

elasticache:ReplicasPerNodeGroup

elasticache:SnapshotRetentionLimit

elasticache:TransitEncryptionEnabled

cluster arn:${Partition}:elasticache:${Region}:${Account}:cluster:${CacheClusterId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

elasticache:AuthTokenEnabled

elasticache:CacheNodeType

elasticache:CacheParameterGroupName

elasticache:EngineType

elasticache:EngineVersion

elasticache:MultiAZEnabled

elasticache:SnapshotRetentionLimit

reserved-instance arn:${Partition}:elasticache:${Region}:${Account}:reserved-instance:${ReservedCacheNodeId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

snapshot arn:${Partition}:elasticache:${Region}:${Account}:snapshot:${SnapshotName}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

elasticache:KmsKeyId

globalreplicationgroup arn:${Partition}:elasticache::${Account}:globalreplicationgroup:${GlobalReplicationGroupId}

elasticache:AtRestEncryptionEnabled

elasticache:AuthTokenEnabled

elasticache:AutomaticFailoverEnabled

elasticache:CacheNodeType

elasticache:CacheParameterGroupName

elasticache:ClusterModeEnabled

elasticache:EngineType

elasticache:EngineVersion

elasticache:KmsKeyId

elasticache:MultiAZEnabled

elasticache:NumNodeGroups

elasticache:ReplicasPerNodeGroup

elasticache:SnapshotRetentionLimit

elasticache:TransitEncryptionEnabled

user arn:${Partition}:elasticache:${Region}:${Account}:user:${UserId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

elasticache:UserAuthenticationMode

usergroup arn:${Partition}:elasticache:${Region}:${Account}:usergroup:${UserGroupId}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

serverlesscache arn:${Partition}:elasticache:${Region}:${Account}:serverlesscache:${ServerlessCacheName}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

elasticache:DataStorageUnit

elasticache:EngineType

elasticache:EngineVersion

elasticache:KmsKeyId

elasticache:MaximumDataStorage

elasticache:MaximumECPUPerSecond

elasticache:MinimumDataStorage

elasticache:MinimumECPUPerSecond

elasticache:SnapshotRetentionLimit

serverlesscachesnapshot arn:${Partition}:elasticache:${Region}:${Account}:serverlesscachesnapshot:${ServerlessCacheSnapshotName}

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

elasticache:KmsKeyId

Condition keys for Amazon ElastiCache

Amazon ElastiCache defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Note

For information about conditions in an IAM policy to control access to ElastiCache, see ElastiCache Keys in the Amazon ElastiCache User Guide.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters actions based on the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters actions based on the tags associated with the resource String
aws:TagKeys Filters actions based on the tag keys that are passed in the request ArrayOfString
elasticache:AtRestEncryptionEnabled Filters access by the AtRestEncryptionEnabled parameter present in the request or default false value if parameter is not present Bool
elasticache:AuthTokenEnabled Filters access by the presence of non empty AuthToken parameter in the request Bool
elasticache:AutomaticFailoverEnabled Filters access by the AutomaticFailoverEnabled parameter in the request Bool
elasticache:CacheNodeType Filters access by the cacheNodeType parameter present in the request. This key can be used to restrict which cache node types can be used on cluster creation or scaling operations String
elasticache:CacheParameterGroupName Filters access by the CacheParameterGroupName parameter in the request String
elasticache:ClusterModeEnabled Filters access by the cluster mode parameter present in the request. Default value for single node group (shard) creations is false Bool
elasticache:DataStorageUnit Filters access by the CacheUsageLimits.DataStorage.Unit parameter in the CreateServerlessCache and ModifyServerlessCache request String
elasticache:EngineType Filters access by the engine type present in creation requests. For replication group creations, default engine 'redis' is used as key if parameter is not present String
elasticache:EngineVersion Filters access by the engineVersion parameter present in creation or cluster modification requests String
elasticache:KmsKeyId Filters access by the Key ID of the KMS key String
elasticache:MaximumDataStorage Filters access by the CacheUsageLimits.DataStorage.Maximum parameter in the CreateServerlessCache and ModifyServerlessCache request Numeric
elasticache:MaximumECPUPerSecond Filters access by the CacheUsageLimits.ECPUPerSecond.Maximum parameter in the CreateServerlessCache and ModifyServerlessCache request Numeric
elasticache:MinimumDataStorage Filters access by the CacheUsageLimits.DataStorage.Minimum parameter in the CreateServerlessCache and ModifyServerlessCache request Numeric
elasticache:MinimumECPUPerSecond Filters access by the CacheUsageLimits.ECPUPerSecond.Minimum parameter in the CreateServerlessCache and ModifyServerlessCache request Numeric
elasticache:MultiAZEnabled Filters access by the AZMode parameter, MultiAZEnabled parameter or the number of availability zones that the cluster or replication group can be placed in Bool
elasticache:NumNodeGroups Filters access by the NumNodeGroups or NodeGroupCount parameter specified in the request. This key can be used to restrict the number of node groups (shards) clusters can have after creation or scaling operations Numeric
elasticache:ReplicasPerNodeGroup Filters access by the number of replicas per node group (shards) specified in creations or scaling requests Numeric
elasticache:SnapshotRetentionLimit Filters access by the SnapshotRetentionLimit parameter in the request Numeric
elasticache:TransitEncryptionEnabled Filters access by the TransitEncryptionEnabled parameter present in the request. For replication group creations, default value 'false' is used as key if parameter is not present Bool
elasticache:UserAuthenticationMode Filters access by the UserAuthenticationMode parameter in the request String