Actions, resources, and condition keys for Amazon ElastiCache
Amazon ElastiCache (service prefix: elasticache
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon ElastiCache
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Note
When you create an ElastiCache policy in IAM you must use the "*" wildcard character for the Resource block. For information about using the following ElastiCache API actions in an IAM policy, see ElastiCache Actions and IAM in the Amazon ElastiCache User Guide.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AddTagsToResource | Grants permission to add tags to an ElastiCache resource | Tagging | |||
AuthorizeCacheSecurityGroupIngress | Grants permission to authorize an EC2 security group on a ElastiCache security group | Write |
ec2:AuthorizeSecurityGroupIngress |
||
BatchApplyUpdateAction | Grants permission to apply ElastiCache service updates to sets of clusters and replication groups | Write |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs s3:GetObject |
||
BatchStopUpdateAction | Grants permission to stop ElastiCache service updates from being executed on a set of clusters | Write | |||
CompleteMigration | Grants permission to complete an online migration of data from hosted Redis on Amazon EC2 to ElastiCache | Write | |||
Connect | Grants permission to connect as a specified ElastiCache user to an ElastiCache Replication Group or ElastiCache serverless cache | Write | |||
CopyServerlessCacheSnapshot | Grants permission to make a copy of an existing serverless cache snapshot | Write |
elasticache:AddTagsToResource |
||
CopySnapshot | Grants permission to make a copy of an existing snapshot | Write |
elasticache:AddTagsToResource s3:DeleteObject s3:GetBucketAcl s3:PutObject |
||
CreateCacheCluster | Grants permission to create a cache cluster | Write |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs elasticache:AddTagsToResource s3:GetObject |
||
CreateCacheParameterGroup | Grants permission to create a parameter group | Write |
elasticache:AddTagsToResource |
||
CreateCacheSecurityGroup | Grants permission to create a cache security group | Write |
elasticache:AddTagsToResource |
||
CreateCacheSubnetGroup | Grants permission to create a cache subnet group | Write |
elasticache:AddTagsToResource |
||
CreateGlobalReplicationGroup | Grants permission to create a global replication group | Write | |||
CreateReplicationGroup | Grants permission to create a replication group | Write |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs elasticache:AddTagsToResource s3:GetObject |
||
elasticache:ReplicasPerNodeGroup elasticache:AtRestEncryptionEnabled elasticache:TransitEncryptionEnabled elasticache:AutomaticFailoverEnabled elasticache:ClusterModeEnabled |
|||||
elasticache:ReplicasPerNodeGroup elasticache:AtRestEncryptionEnabled elasticache:TransitEncryptionEnabled elasticache:AutomaticFailoverEnabled elasticache:ClusterModeEnabled |
|||||
CreateServerlessCache | Grants permission to create a serverless cache | Write |
elasticache:SnapshotRetentionLimit elasticache:MinimumDataStorage elasticache:MaximumDataStorage |
ec2:CreateTags ec2:CreateVpcEndpoint ec2:DeleteVpcEndpoints ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeTags ec2:DescribeVpcEndpoints ec2:DescribeVpcs elasticache:AddTagsToResource s3:GetObject |
|
CreateServerlessCacheSnapshot | Grants permission to create a copy of a serverless cache at a specific moment in time | Write |
elasticache:AddTagsToResource |
||
CreateSnapshot | Grants permission to create a copy of an entire Redis cluster at a specific moment in time | Write |
elasticache:AddTagsToResource s3:DeleteObject s3:GetBucketAcl s3:PutObject |
||
CreateUser | Grants permission to create a user for Redis. Users are supported from Redis 6.0 onwards | Write |
elasticache:AddTagsToResource |
||
CreateUserGroup | Grants permission to create a user group for Redis. Groups are supported from Redis 6.0 onwards | Write |
elasticache:AddTagsToResource |
||
DecreaseNodeGroupsInGlobalReplicationGroup | Grants permission to decrease the number of node groups in global replication groups | Write | |||
DecreaseReplicaCount | Grants permission to decrease the number of replicas in a Redis (cluster mode disabled) replication group or the number of replica nodes in one or more node groups (shards) of a Redis (cluster mode enabled) replication group | Write |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
DeleteCacheCluster | Grants permission to delete a previously provisioned cluster | Write |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
DeleteCacheParameterGroup | Grants permission to delete the specified cache parameter group | Write | |||
DeleteCacheSecurityGroup | Grants permission to delete a cache security group | Write | |||
DeleteCacheSubnetGroup | Grants permission to delete a cache subnet group | Write |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
DeleteGlobalReplicationGroup | Grants permission to delete an existing global replication group | Write | |||
DeleteReplicationGroup | Grants permission to delete an existing replication group | Write |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
DeleteServerlessCache | Grants permission to delete a serverless cache | Write |
ec2:DescribeTags |
||
DeleteServerlessCacheSnapshot | Grants permission to delete a serverless cache snapshot | Write | |||
DeleteSnapshot | Grants permission to delete an existing snapshot | Write | |||
DeleteUser | Grants permission to delete an existing user and thus remove it from all user groups and replication groups where it was assigned | Write | |||
DeleteUserGroup | Grants permission to delete an existing user group | Write | |||
DescribeCacheClusters | Grants permission to list information about provisioned cache clusters | List | |||
DescribeCacheEngineVersions | Grants permission to list available cache engines and their versions | List | |||
DescribeCacheParameterGroups | Grants permission to list cache parameter group descriptions | List | |||
DescribeCacheParameters | Grants permission to retrieve the detailed parameter list for a particular cache parameter group | List | |||
DescribeCacheSecurityGroups | Grants permission to list cache security group descriptions | List | |||
DescribeCacheSubnetGroups | Grants permission to list cache subnet group descriptions | List | |||
DescribeEngineDefaultParameters | Grants permission to retrieve the default engine and system parameter information for the specified cache engine | List | |||
DescribeEvents | Grants permission to list events related to clusters, cache security groups, and cache parameter groups | List | |||
DescribeGlobalReplicationGroups | Grants permission to list information about global replication groups | List | |||
DescribeReplicationGroups | Grants permission to list information about provisioned replication groups | List | |||
DescribeReservedCacheNodes | Grants permission to list information about purchased reserved cache nodes | List | |||
DescribeReservedCacheNodesOfferings | Grants permission to list available reserved cache node offerings | List | |||
DescribeServerlessCacheSnapshots | Grants permission to list information about serverless cache snapshots | List | |||
DescribeServerlessCaches | Grants permission to list serverless caches | List | |||
DescribeServiceUpdates | Grants permission to list details of the service updates | List | |||
DescribeSnapshots | Grants permission to list information about cluster or replication group snapshots | List | |||
DescribeUpdateActions | Grants permission to list details of the update actions for a set of clusters or replication groups | List | |||
DescribeUserGroups | Grants permission to list information about Redis user groups | List | |||
DescribeUsers | Grants permission to list information about Redis users | List | |||
DisassociateGlobalReplicationGroup | Grants permission to remove a secondary replication group from the global replication group | Write | |||
ExportServerlessCacheSnapshot | Grants permission to export a copy of a serverless cache at a specific moment in time to s3 bucket | Write |
s3:DeleteObject s3:ListAllMyBuckets s3:PutObject |
||
FailoverGlobalReplicationGroup | Grants permission to failover the primary region to a selected secondary region of a global replication group | Write | |||
IncreaseNodeGroupsInGlobalReplicationGroup | Grants permission to increase the number of node groups in a global replication group | Write | |||
IncreaseReplicaCount | Grants permission to increase the number of replicas in a Redis (cluster mode disabled) replication group or the number of replica nodes in one or more node groups (shards) of a Redis (cluster mode enabled) replication group | Write |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
InterruptClusterAzPower [permission only] | Grants permission to test an AZ power interruption for an ElastiCache resource | Write | |||
ListAllowedNodeTypeModifications | Grants permission to list available node type that can be used to scale a particular Redis cluster or replication group | List | |||
ListTagsForResource | Grants permission to list tags for an ElastiCache resource | Read | |||
ModifyCacheCluster | Grants permission to modify settings for a cluster | Write | |||
ModifyCacheParameterGroup | Grants permission to modify parameters of a cache parameter group | Write | |||
ModifyCacheSubnetGroup | Grants permission to modify an existing cache subnet group | Write | |||
ModifyGlobalReplicationGroup | Grants permission to modify settings for a global replication group | Write | |||
ModifyReplicationGroup | Grants permission to modify the settings for a replication group | Write |
elasticache:AutomaticFailoverEnabled elasticache:SnapshotRetentionLimit elasticache:CacheParameterGroupName |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
|
ModifyReplicationGroupShardConfiguration | Grants permission to add shards, remove shards, or rebalance the keyspaces among existing shards of a replication group | Write |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
ModifyServerlessCache | Grants permission to modify parameters for a serverless cache | Write |
elasticache:SnapshotRetentionLimit elasticache:MinimumDataStorage elasticache:MaximumDataStorage |
ec2:DescribeSecurityGroups ec2:DescribeTags |
|
ModifyUser | Grants permission to change Redis user password(s) and/or access string | Write | |||
ModifyUserGroup | Grants permission to change list of users that belong to the user group | Write | |||
PurchaseReservedCacheNodesOffering | Grants permission to purchase a reserved cache node offering | Write |
elasticache:AddTagsToResource |
||
RebalanceSlotsInGlobalReplicationGroup | Grants permission to perform a key space rebalance operation to redistribute slots and ensure uniform key distribution across existing shards in a global replication group | Write | |||
RebootCacheCluster | Grants permission to reboot some, or all, of the cache nodes within a provisioned cache cluster or replication group (cluster mode disabled) | Write | |||
RemoveTagsFromResource | Grants permission to remove tags from a ElastiCache resource | Tagging | |||
ResetCacheParameterGroup | Grants permission to modify parameters of a cache parameter group back to their default values | Write | |||
RevokeCacheSecurityGroupIngress | Grants permission to remove an EC2 security group ingress from a ElastiCache security group | Write | |||
StartMigration | Grants permission to start a migration of data from hosted Redis on Amazon EC2 to ElastiCache for Redis | Write | |||
TestFailover | Grants permission to test automatic failover on a specified node group in a replication group | Write |
ec2:CreateNetworkInterface ec2:DeleteNetworkInterface ec2:DescribeNetworkInterfaces ec2:DescribeSubnets ec2:DescribeVpcs |
||
TestMigration | Grants permission to test a migration of data from hosted Redis on Amazon EC2 to ElastiCache for Redis | Write | |||
Resource types defined by Amazon ElastiCache
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
Resource types | ARN | Condition keys |
---|---|---|
parametergroup |
arn:${Partition}:elasticache:${Region}:${Account}:parametergroup:${CacheParameterGroupName}
|
|
securitygroup |
arn:${Partition}:elasticache:${Region}:${Account}:securitygroup:${CacheSecurityGroupName}
|
|
subnetgroup |
arn:${Partition}:elasticache:${Region}:${Account}:subnetgroup:${CacheSubnetGroupName}
|
|
replicationgroup |
arn:${Partition}:elasticache:${Region}:${Account}:replicationgroup:${ReplicationGroupId}
|
elasticache:AtRestEncryptionEnabled elasticache:AutomaticFailoverEnabled elasticache:CacheParameterGroupName elasticache:ClusterModeEnabled elasticache:ReplicasPerNodeGroup |
cluster |
arn:${Partition}:elasticache:${Region}:${Account}:cluster:${CacheClusterId}
|
|
reserved-instance |
arn:${Partition}:elasticache:${Region}:${Account}:reserved-instance:${ReservedCacheNodeId}
|
|
snapshot |
arn:${Partition}:elasticache:${Region}:${Account}:snapshot:${SnapshotName}
|
|
globalreplicationgroup |
arn:${Partition}:elasticache::${Account}:globalreplicationgroup:${GlobalReplicationGroupId}
|
elasticache:AtRestEncryptionEnabled elasticache:AutomaticFailoverEnabled elasticache:CacheParameterGroupName elasticache:ClusterModeEnabled elasticache:ReplicasPerNodeGroup |
user |
arn:${Partition}:elasticache:${Region}:${Account}:user:${UserId}
|
|
usergroup |
arn:${Partition}:elasticache:${Region}:${Account}:usergroup:${UserGroupId}
|
|
serverlesscache |
arn:${Partition}:elasticache:${Region}:${Account}:serverlesscache:${ServerlessCacheName}
|
elasticache:MaximumDataStorage elasticache:MaximumECPUPerSecond elasticache:MinimumDataStorage |
serverlesscachesnapshot |
arn:${Partition}:elasticache:${Region}:${Account}:serverlesscachesnapshot:${ServerlessCacheSnapshotName}
|
Condition keys for Amazon ElastiCache
Amazon ElastiCache defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Note
For information about conditions in an IAM policy to control access to ElastiCache, see ElastiCache Keys in the Amazon ElastiCache User Guide.
Condition keys | Description | Type |
---|---|---|
aws:RequestTag/${TagKey} | Filters actions based on the tags that are passed in the request | String |
aws:ResourceTag/${TagKey} | Filters actions based on the tags associated with the resource | String |
aws:TagKeys | Filters actions based on the tag keys that are passed in the request | ArrayOfString |
elasticache:AtRestEncryptionEnabled | Filters access by the AtRestEncryptionEnabled parameter present in the request or default false value if parameter is not present | Bool |
elasticache:AuthTokenEnabled | Filters access by the presence of non empty AuthToken parameter in the request | Bool |
elasticache:AutomaticFailoverEnabled | Filters access by the AutomaticFailoverEnabled parameter in the request | Bool |
elasticache:CacheNodeType | Filters access by the cacheNodeType parameter present in the request. This key can be used to restrict which cache node types can be used on cluster creation or scaling operations | String |
elasticache:CacheParameterGroupName | Filters access by the CacheParameterGroupName parameter in the request | String |
elasticache:ClusterModeEnabled | Filters access by the cluster mode parameter present in the request. Default value for single node group (shard) creations is false | Bool |
elasticache:DataStorageUnit | Filters access by the CacheUsageLimits.DataStorage.Unit parameter in the CreateServerlessCache and ModifyServerlessCache request | String |
elasticache:EngineType | Filters access by the engine type present in creation requests. For replication group creations, default engine 'redis' is used as key if parameter is not present | String |
elasticache:EngineVersion | Filters access by the engineVersion parameter present in creation or cluster modification requests | String |
elasticache:KmsKeyId | Filters access by the Key ID of the KMS key | String |
elasticache:MaximumDataStorage | Filters access by the CacheUsageLimits.DataStorage.Maximum parameter in the CreateServerlessCache and ModifyServerlessCache request | Numeric |
elasticache:MaximumECPUPerSecond | Filters access by the CacheUsageLimits.ECPUPerSecond.Maximum parameter in the CreateServerlessCache and ModifyServerlessCache request | Numeric |
elasticache:MinimumDataStorage | Filters access by the CacheUsageLimits.DataStorage.Minimum parameter in the CreateServerlessCache and ModifyServerlessCache request | Numeric |
elasticache:MinimumECPUPerSecond | Filters access by the CacheUsageLimits.ECPUPerSecond.Minimum parameter in the CreateServerlessCache and ModifyServerlessCache request | Numeric |
elasticache:MultiAZEnabled | Filters access by the AZMode parameter, MultiAZEnabled parameter or the number of availability zones that the cluster or replication group can be placed in | Bool |
elasticache:NumNodeGroups | Filters access by the NumNodeGroups or NodeGroupCount parameter specified in the request. This key can be used to restrict the number of node groups (shards) clusters can have after creation or scaling operations | Numeric |
elasticache:ReplicasPerNodeGroup | Filters access by the number of replicas per node group (shards) specified in creations or scaling requests | Numeric |
elasticache:SnapshotRetentionLimit | Filters access by the SnapshotRetentionLimit parameter in the request | Numeric |
elasticache:TransitEncryptionEnabled | Filters access by the TransitEncryptionEnabled parameter present in the request. For replication group creations, default value 'false' is used as key if parameter is not present | Bool |
elasticache:UserAuthenticationMode | Filters access by the UserAuthenticationMode parameter in the request | String |